diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var index 6accd5ec24c1..82bfa94f8712 100644 --- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var @@ -14,6 +14,7 @@ options: stig: aes256-ctr,aes192-ctr,aes128-ctr stig_extended: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr stig_rhel9: aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr + stig_rhel10: aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_rhel8: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_rhel9: -3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se diff --git a/linux_os/guide/services/ssh/sshd_approved_macs.var b/linux_os/guide/services/ssh/sshd_approved_macs.var index 957ab19dbff8..327b3f2d09a7 100644 --- a/linux_os/guide/services/ssh/sshd_approved_macs.var +++ b/linux_os/guide/services/ssh/sshd_approved_macs.var @@ -14,6 +14,7 @@ options: stig: hmac-sha2-512,hmac-sha2-256 stig_extended: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 stig_rhel9: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 + stig_rhel10: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 default: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_sle15: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml index cdece146f9a3..db44abd7ffe0 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml @@ -20,6 +20,7 @@ severity: medium identifiers: cce@rhel8: CCE-86038-7 cce@rhel9: CCE-86040-3 + cce@rhel10: CCE-86492-6 references: nist: CM-6(b),CM-6.1(iv) diff --git a/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/rule.yml b/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/rule.yml index 5ac5994ae367..f6829b70b6a0 100644 --- a/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/rule.yml +++ b/linux_os/guide/system/software/updating/enable_gpgcheck_for_all_repositories/rule.yml @@ -20,6 +20,7 @@ severity: high identifiers: cce@rhel8: CCE-86187-2 + cce@rhel10: CCE-86484-3 references: srg: SRG-OS-000366-GPOS-00153 diff --git a/products/rhel10/controls/stig_rhel10.yml b/products/rhel10/controls/stig_rhel10.yml new file mode 100644 index 000000000000..94647d455223 --- /dev/null +++ b/products/rhel10/controls/stig_rhel10.yml @@ -0,0 +1,3400 @@ +--- +policy: Red Hat Enterprise Linux 10 Security Technical Implementation Guide +title: Red Hat Enterprise Linux 10 Security Technical Implementation Guide +id: stig_rhel10 +version: V1R1 +source: https://www.cyber.mil/stigs/downloads/ +reference_type: stigid +product: rhel10 + +levels: + - id: high + - id: medium + - id: low + +controls: + - id: RHEL-10-700970 + levels: + - medium + title: RHEL 10 must disable the debug-shell systemd service. + rules: + - service_debug-shell_disabled + status: automated + - id: RHEL-10-001020 + levels: + - medium + title: RHEL 10 must ensure cryptographic verification of vendor software packages. + rules: + - ensure_redhat_gpgkey_installed + - package_sequoia-sq_installed + status: automated + - id: RHEL-10-001030 + levels: + - high + title: RHEL 10 must check the GNU Privacy Guard (GPG) signature of software packages originating + from external software repositories before installation. + rules: + - ensure_gpgcheck_globally_activated + status: automated + - id: RHEL-10-001040 + levels: + - high + title: RHEL 10 must check the GNU Privacy Guard (GPG) signature of locally installed software packages + before installation. + rules: + - ensure_gpgcheck_local_packages + status: automated + - id: RHEL-10-001050 + levels: + - high + title: RHEL 10 must have GNU Privacy Guard (GPG) signature verification enabled for all software + repositories. + rules: + - enable_gpgcheck_for_all_repositories + status: automated + - id: RHEL-10-000510 + levels: + - high + title: RHEL 10 must implement cryptographic mechanisms to prevent unauthorized disclosure or modification + of all information on local disk partitions that requires at-rest protection. + rules: + - encrypt_partitions + status: automated + - id: RHEL-10-000520 + levels: + - low + title: RHEL 10 must use a separate file system for the system audit data path. + rules: + - partition_for_var_log_audit + status: automated + - id: RHEL-10-000530 + levels: + - medium + title: RHEL 10 must use a separate file system for user home directories (such as "/home" or an + equivalent). + rules: + - partition_for_home + status: automated + - id: RHEL-10-000540 + levels: + - medium + title: RHEL 10 must use a separate file system for "/tmp". + rules: + - partition_for_tmp + status: automated + - id: RHEL-10-000550 + levels: + - medium + title: RHEL 10 must use a separate file system for "/var". + rules: + - partition_for_var + status: automated + - id: RHEL-10-000560 + levels: + - medium + title: RHEL 10 must use a separate file system for "/var/log". + rules: + - partition_for_var_log + status: automated + - id: RHEL-10-000570 + levels: + - medium + title: RHEL 10 must use a separate file system for "/var/tmp". + rules: + - partition_for_var_tmp + status: automated + - id: RHEL-10-200000 + levels: + - medium + title: RHEL 10 must remove all software components after updated versions have been installed. + rules: + - clean_components_post_updating + status: automated + - id: RHEL-10-200010 + levels: + - medium + title: RHEL 10 must not have the "nfs-utils" package installed. + rules: + - package_nfs-utils_removed + status: automated + - id: RHEL-10-200020 + levels: + - high + title: RHEL 10 must not have the "telnet-server" package installed. + rules: + - package_telnet-server_removed + status: automated + - id: RHEL-10-200030 + levels: + - medium + title: RHEL 10 must not have the "gssproxy" package installed. + rules: + - package_gssproxy_removed + status: automated + - id: RHEL-10-200040 + levels: + - medium + title: RHEL 10 must not have the tuned package installed. + rules: + - package_tuned_removed + status: automated + - id: RHEL-10-200050 + levels: + - medium + title: RHEL 10 must not have a Trivial File Transfer Protocol (TFTP) server package installed unless + it is required by the mission, and if required, the TFTP daemon must be configured to operate + in secure mode. + rules: + - package_tftp-server_removed + status: automated + - id: RHEL-10-200060 + levels: + - medium + title: RHEL 10 must not have the unbound package installed. + rules: + - package_unbound_removed + status: automated + - id: RHEL-10-200070 + levels: + - high + title: RHEL 10 must not have the "tftp" package installed. + rules: + - package_tftp_removed + status: automated + - id: RHEL-10-200080 + levels: + - medium + title: RHEL 10 must not have the "gdm" package installed. + rules: + - package_gdm_removed + status: automated + - id: RHEL-10-200090 + levels: + - high + title: RHEL 10 must not have a File Transfer Protocol (FTP) server package installed. + rules: + - package_vsftpd_removed + status: automated + - id: RHEL-10-200500 + levels: + - medium + title: RHEL 10 must have the "subscription-manager" package installed. + rules: + - package_subscription-manager_installed + status: automated + - id: RHEL-10-200510 + levels: + - medium + title: RHEL 10 must have the "nss-tools" package installed. + rules: + - package_nss-tools_installed + status: automated + - id: RHEL-10-200520 + levels: + - medium + title: RHEL 10 must have the "s-nail" package installed. + rules: + - package_s-nail_installed + status: automated + - id: RHEL-10-200530 + levels: + - medium + title: RHEL 10 must have the "firewalld" package installed. + rules: + - package_firewalld_installed + status: automated + - id: RHEL-10-200531 + levels: + - medium + title: RHEL 10 must have the "firewalld" service set to active. + rules: + - service_firewalld_enabled + status: automated + - id: RHEL-10-200532 + levels: + - medium + title: RHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections to other + systems. + rules: + - configured_firewalld_default_deny + related_rules: + - set_firewalld_default_zone + status: automated + - id: RHEL-10-200540 + levels: + - medium + title: RHEL 10 must have the "chrony" package installed. + rules: + - package_chrony_installed + status: automated + - id: RHEL-10-200541 + levels: + - medium + title: RHEL 10 must enable the chronyd service. + rules: + - service_chronyd_enabled + status: automated + - id: RHEL-10-200542 + levels: + - medium + title: RHEL 10 must disable the chrony daemon from acting as a server. + rules: + - chronyd_client_only + status: automated + - id: RHEL-10-200543 + levels: + - medium + title: RHEL 10 must disable network management of the chrony daemon. + rules: + - chronyd_no_chronyc_network + status: automated + - id: RHEL-10-200560 + levels: + - medium + title: RHEL 10 must have the USBGuard package installed. + rules: + - package_usbguard_installed + status: automated + - id: RHEL-10-200561 + levels: + - medium + title: RHEL 10 must have the USBGuard package enabled. + rules: + - service_usbguard_enabled + status: automated + - id: RHEL-10-200562 + levels: + - medium + title: RHEL 10 must block unauthorized peripherals before establishing a connection. + rules: + - usbguard_generate_policy + status: automated + - id: RHEL-10-200563 + levels: + - medium + title: RHEL 10 must enable audit logging for the USBGuard daemon. + rules: + - configure_usbguard_auditbackend + status: automated + - id: RHEL-10-200570 + levels: + - medium + title: RHEL 10 must have the "policycoreutils" package installed. + rules: + - package_policycoreutils_installed + status: automated + - id: RHEL-10-200580 + levels: + - medium + title: RHEL 10 must have the "policycoreutils-python-utils" package installed. + rules: + - package_policycoreutils-python-utils_installed + status: automated + - id: RHEL-10-200590 + levels: + - medium + title: RHEL 10 must have the "sudo" package installed. + rules: + - package_sudo_installed + status: automated + - id: RHEL-10-200600 + levels: + - medium + title: RHEL 10 must have the "fapolicy" module installed. + rules: + - package_fapolicyd_installed + status: automated + - id: RHEL-10-200601 + levels: + - medium + title: RHEL 10 must enable the "fapolicy" module. + rules: + - service_fapolicyd_enabled + status: automated + - id: RHEL-10-200602 + levels: + - medium + title: RHEL 10 must be configured to employ a deny-all, permit-by-exception policy to allow the + execution of authorized software programs. + rules: + - fapolicy_default_deny + status: automated + - id: RHEL-10-200610 + levels: + - medium + title: RHEL 10 must have the "pcsc-lite" package installed. + rules: + - package_pcsc-lite_installed + status: automated + - id: RHEL-10-200611 + levels: + - medium + title: RHEL 10 must have the "pcscd" service set to active. + rules: + - service_pcscd_enabled + status: automated + - id: RHEL-10-200612 + levels: + - medium + title: RHEL 10 must have the "pcsc-lite-ccid" package installed. + rules: + - package_pcsc-lite-ccid_installed + status: automated + - id: RHEL-10-200620 + levels: + - medium + title: RHEL 10 must have the "opensc" package installed. + rules: + - package_opensc_installed + status: automated + - id: RHEL-10-200621 + levels: + - medium + title: RHEL 10 must use the common access card (CAC) smart card driver. + rules: + - configure_opensc_card_drivers + - var_smartcard_drivers=cac + status: automated + - id: RHEL-10-200630 + levels: + - medium + title: RHEL 10 must have the Advanced Intrusion Detection Environment (AIDE) package installed. + rules: + - package_aide_installed + status: automated + - id: RHEL-10-200631 + levels: + - high + title: RHEL 10 must use cryptographic mechanisms to protect the integrity of audit tools. + rules: + - aide_check_audit_tools + status: automated + - id: RHEL-10-200632 + levels: + - medium + title: RHEL 10 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic + hashes for validating file contents and directories. + rules: + - aide_use_fips_hashes + status: automated + - id: RHEL-10-200633 + levels: + - medium + title: RHEL 10 must routinely check the baseline configuration for unauthorized changes and notify + the system administrator when anomalies in the operation of any security functions are discovered. + rules: + - aide_build_database + - aide_periodic_cron_checking + - aide_scan_notification + - aide_use_fips_hashes + - package_aide_installed + status: automated + - id: RHEL-10-200634 + levels: + - medium + title: RHEL 10 must be configured so that the file integrity tool verifies Access Control Lists + (ACLs). + rules: + - aide_verify_acls + status: automated + - id: RHEL-10-200635 + levels: + - medium + title: RHEL 10 must be configured so that the file integrity tool verifies extended attributes. + rules: + - aide_verify_ext_attributes + status: automated + - id: RHEL-10-200640 + levels: + - medium + title: RHEL 10 must have the "rsyslog" package installed. + rules: + - package_rsyslog_installed + status: automated + - id: RHEL-10-200641 + levels: + - medium + title: RHEL 10 must have the rsyslog service set to active. + rules: + - service_rsyslog_enabled + status: automated + - id: RHEL-10-200642 + levels: + - medium + title: RHEL 10 must be configured to forward audit records via Transmission Control Protocol (TCP) + to a different system or media from the system being audited via rsyslog. + rules: + - rsyslog_remote_loghost + status: automated + - id: RHEL-10-200643 + levels: + - medium + title: RHEL 10 must be configured so that the rsyslog daemon does not accept log messages from + other servers unless the server is being used for log aggregation. + rules: + - rsyslog_nolisten + status: automated + - id: RHEL-10-200644 + levels: + - medium + title: RHEL 10 must authenticate the remote logging server for off-loading audit logs via "rsyslog". + rules: + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode + status: automated + - id: RHEL-10-200645 + levels: + - medium + title: RHEL 10 must encrypt the transfer of audit records off-loaded onto a different system or + media from the system being audited via rsyslog. + rules: + - rsyslog_encrypt_offload_actionsendstreamdrivermode + status: automated + - id: RHEL-10-200646 + levels: + - medium + title: RHEL 10 must encrypt, via the gtls driver, the transfer of audit records off-loaded onto + a different system or media from the system being audited via rsyslog. + rules: + - rsyslog_encrypt_offload_defaultnetstreamdriver + status: automated + - id: RHEL-10-200647 + levels: + - medium + title: RHEL 10 must monitor all remote access methods. + rules: + - rsyslog_remote_access_monitoring + status: automated + - id: RHEL-10-200648 + levels: + - medium + title: RHEL 10 must use cron logging. + rules: + - rsyslog_cron_logging + status: automated + - id: RHEL-10-200650 + levels: + - medium + title: RHEL 10 must have the packages required for encrypting off-loaded audit logs installed. + rules: + - package_rsyslog-gnutls_installed + status: automated + - id: RHEL-10-200660 + levels: + - medium + title: RHEL 10 must have the "audit" package installed. + rules: + - package_audit_installed + status: automated + - id: RHEL-10-200661 + levels: + - medium + title: RHEL 10 must enable the audit service. + rules: + - service_auditd_enabled + status: automated + - id: RHEL-10-200662 + levels: + - low + title: RHEL 10 must have the "audispd-plugins" package installed. + rules: + - package_audispd-plugins_installed + status: automated + - id: RHEL-10-200680 + levels: + - medium + title: RHEL 10 must have the "libreswan" package installed. + rules: + - package_libreswan_installed + status: automated + - id: RHEL-10-200690 + levels: + - medium + title: RHEL 10 must notify designated personnel if baseline configurations are changed in an unauthorized + manner. + rules: + - package_postfix_installed + status: automated + - id: RHEL-10-200691 + levels: + - medium + title: RHEL 10 must have mail aliases to notify the information system security officer (ISSO) + and system administrator (SA) (at a minimum) of an audit processing failure. + rules: + - postfix_client_configure_mail_alias + - postfix_client_configure_mail_alias_postmaster + - var_postfix_root_mail_alias=mil_sysadmin + status: automated + - id: RHEL-10-200692 + levels: + - medium + title: RHEL 10 must be configured to prevent unrestricted mail relaying. + rules: + - postfix_prevent_unrestricted_relay + status: automated + - id: RHEL-10-200700 + levels: + - medium + title: RHEL 10 must have the "cronie" package installed. + rules: + - package_cron_installed + status: automated + - id: RHEL-10-200720 + levels: + - medium + title: RHEL 10 must have a Secure Shell (SSH) server installed for all networked systems. + rules: + - package_openssh-server_installed + status: automated + - id: RHEL-10-200721 + levels: + - medium + title: RHEL 10 must, for all networked systems, have and implement Secure Shell (SSH) to protect + the confidentiality and integrity of transmitted and received information. + rules: + - service_sshd_enabled + status: automated + - id: RHEL-10-200722 + levels: + - medium + title: RHEL 10 must have the "openssh-clients" package installed. + rules: + - package_openssh-clients_installed + status: automated + - id: RHEL-10-200730 + levels: + - medium + title: RHEL 10 must have the "pkcs11-provider" package installed. + rules: + - install_smartcard_packages + status: automated + - id: RHEL-10-200740 + levels: + - medium + title: RHEL 10 must have the "gnutls-utils" package installed. + rules: + - package_gnutls-utils_installed + status: automated + - id: RHEL-10-300000 + levels: + - high + title: RHEL 10 must have the "crypto-policies" package installed. + rules: + - package_crypto-policies_installed + status: automated + - id: RHEL-10-300010 + levels: + - high + title: RHEL 10 must implement a FIPS 140-3-compliant systemwide cryptographic policy. + rules: + - configure_crypto_policy + - var_system_crypto_policy=fips + status: automated + - id: RHEL-10-000500 + levels: + - high + title: RHEL 10 must enable FIPS mode. + rules: + - enable_fips_mode + - sysctl_crypto_fips_enabled + - system_booted_in_fips_mode + status: automated + - id: RHEL-10-300030 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved encryption + ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality + of SSH client connections. + rules: + - harden_sshd_ciphers_openssh_conf_crypto_policy + - sshd_approved_ciphers=stig_rhel10 + status: automated + - id: RHEL-10-300040 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved encryption + ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality + of SSH server connections. + rules: + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - sshd_approved_ciphers=stig_rhel10 + status: automated + - id: RHEL-10-300050 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved Message + Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to + protect the confidentiality of SSH client connections. + rules: + - harden_sshd_macs_openssh_conf_crypto_policy + - sshd_approved_macs=stig_rhel10 + status: automated + - id: RHEL-10-300060 + levels: + - high + title: RHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved Message + Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to + protect the confidentiality of SSH server connections. + rules: + - harden_sshd_macs_opensshserver_conf_crypto_policy + - sshd_approved_macs=stig_rhel10 + status: automated + - id: RHEL-10-300070 + levels: + - high + title: RHEL 10 must use FIPS 140-3-approved cryptographic algorithms for IP tunnels. + rules: + - configure_libreswan_crypto_policy + status: automated + - id: RHEL-10-300080 + levels: + - high + title: RHEL 10 must implement DOD-approved encryption in the bind package. + rules: + - configure_bind_crypto_policy + status: automated + - id: RHEL-10-300090 + levels: + - high + title: RHEL 10 cryptographic policy must not be overridden. + rules: + - configure_crypto_policy + - var_system_crypto_policy=fips + status: automated + - id: RHEL-10-400000 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group" file is owned by root. + rules: + - file_owner_etc_group + status: automated + - id: RHEL-10-400005 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group" file is group-owned by "root". + rules: + - file_groupowner_etc_group + status: automated + - id: RHEL-10-400010 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group-" file is owned by "root". + rules: + - file_owner_backup_etc_group + status: automated + - id: RHEL-10-400015 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/group-" file is group-owned by "root". + rules: + - file_groupowner_backup_etc_group + status: automated + - id: RHEL-10-400020 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow" file is owned by "root". + rules: + - file_owner_etc_gshadow + status: automated + - id: RHEL-10-400025 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow" file is group-owned by "root". + rules: + - file_groupowner_etc_gshadow + status: automated + - id: RHEL-10-400030 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow-" file is owned by "root". + rules: + - file_owner_backup_etc_gshadow + status: automated + - id: RHEL-10-400035 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/gshadow-" file is group-owned by "root". + rules: + - file_groupowner_backup_etc_gshadow + status: automated + - id: RHEL-10-400040 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd" file is owned by "root". + rules: + - file_owner_etc_passwd + status: automated + - id: RHEL-10-400045 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd" file is group-owned by "root". + rules: + - file_groupowner_etc_passwd + status: automated + - id: RHEL-10-400050 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd-" file is owned by "root". + rules: + - file_owner_backup_etc_passwd + status: automated + - id: RHEL-10-400055 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/passwd-" file is group-owned by "root". + rules: + - file_groupowner_backup_etc_passwd + status: automated + - id: RHEL-10-400060 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow" file is owned by "root". + rules: + - file_owner_etc_shadow + status: automated + - id: RHEL-10-400065 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow" file is group-owned by "root". + rules: + - file_groupowner_etc_shadow + status: automated + - id: RHEL-10-400070 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow-" file is owned by "root". + rules: + - file_owner_backup_etc_shadow + status: automated + - id: RHEL-10-400075 + levels: + - medium + title: RHEL 10 must be configured so that the "/etc/shadow-" file is group-owned by "root". + rules: + - file_groupowner_backup_etc_shadow + status: automated + - id: RHEL-10-400080 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log" directory is owned by "root". + rules: + - file_owner_var_log + status: automated + - id: RHEL-10-400085 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log" directory is group-owned by "root". + rules: + - file_groupowner_var_log + status: automated + - id: RHEL-10-400090 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log/"messages file is owned by root. + rules: + - file_owner_var_log_messages + status: automated + - id: RHEL-10-400095 + levels: + - medium + title: RHEL 10 must be configured so that the "/var/log/messages" file is group-owned by "root". + rules: + - file_groupowner_var_log_messages + status: automated + - id: RHEL-10-400100 + levels: + - medium + title: RHEL 10 must be configured so that system commands are owned by "root". + rules: + - file_ownership_binary_dirs + status: automated + - id: RHEL-10-400105 + levels: + - medium + title: RHEL 10 must be configured so that system commands are group-owned by root or a system account. + rules: + - file_groupownership_system_commands_dirs + status: automated + - id: RHEL-10-400110 + levels: + - medium + title: RHEL 10 must be configured so that library files are owned by "root". + rules: + - file_ownership_library_dirs + status: automated + - id: RHEL-10-400115 + levels: + - medium + title: RHEL 10 must be configured so that library files are group-owned by "root" or a system account. + rules: + - root_permissions_syslibrary_files + status: automated + - id: RHEL-10-400120 + levels: + - medium + title: RHEL 10 must be configured so that library directories are owned by "root". + rules: + - dir_ownership_library_dirs + status: automated + - id: RHEL-10-400125 + levels: + - medium + title: RHEL 10 must be configured so that library directories are group-owned by "root" or a system + account. + rules: + - dir_group_ownership_library_dirs + status: automated + - id: RHEL-10-400130 + levels: + - medium + title: RHEL 10 must be configured so that cron configuration file directories are owned by root. + rules: + - file_owner_cron_d + - file_owner_cron_daily + - file_owner_cron_hourly + - file_owner_cron_monthly + - file_owner_cron_weekly + - file_owner_crontab + - file_owner_cron_deny + status: automated + - id: RHEL-10-400135 + levels: + - medium + title: RHEL 10 must be configured so that cron configuration files directories are group-owned + by root. + rules: + - file_groupowner_cron_d + - file_groupowner_cron_daily + - file_groupowner_cron_hourly + - file_groupowner_cron_monthly + - file_groupowner_cron_weekly + - file_groupowner_crontab + - file_groupowner_cron_deny + status: automated + - id: RHEL-10-400140 + levels: + - medium + title: RHEL 10 must be configured so that world-writable directories are owned by root, sys, bin, + or an application user. + rules: + - dir_perms_world_writable_root_owned + status: automated + - id: RHEL-10-400145 + levels: + - medium + title: RHEL 10 must be configured so that all system device files are correctly labeled to prevent + unauthorized modification. + rules: + - selinux_all_devicefiles_labeled + status: automated + - id: RHEL-10-400150 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is group-owned + by "root". + rules: + - file_groupowner_sshd_config + - directory_groupowner_sshd_config_d + - file_groupowner_sshd_drop_in_config + status: automated + - id: RHEL-10-400155 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is owned + by "root". + rules: + - file_sshd_50_redhat_exists + - file_owner_sshd_config + - directory_owner_sshd_config_d + - file_owner_sshd_drop_in_config + notes: > + TODO: investigate if file_sshd_50_redhat_exists is a convenience rule or a prerequisite + or if it's superfluous and should be removed. + status: automated + - id: RHEL-10-400160 + levels: + - medium + title: RHEL 10 must ensure that all local interactive user home directories are group-owned by + the home directory owner's primary group. + rules: + - file_groupownership_home_directories + status: automated + - id: RHEL-10-400165 + levels: + - medium + title: RHEL 10 must enforce group ownership of audit logs by "root" or by a restricted logging + group to prevent unauthorized read access. + rules: + - file_group_ownership_var_log_audit + status: automated + - id: RHEL-10-400170 + levels: + - medium + title: RHEL 10 must enforce "root" ownership of the audit log directory to prevent unauthorized + read access. + rules: + - directory_ownership_var_log_audit + status: automated + - id: RHEL-10-400175 + levels: + - medium + title: RHEL 10 must enforce "root" ownership of audit logs to prevent unauthorized access. + rules: + - file_ownership_var_log_audit_stig + status: automated + - id: RHEL-10-400180 + levels: + - medium + title: RHEL 10 must enforce group ownership by "root" or a restricted logging group for audit log + files to prevent unauthorized access. + rules: + - directory_group_ownership_var_log_audit + status: automated + - id: RHEL-10-400185 + levels: + - medium + title: RHEL 10 must set mode "0600" or less permissive for the audit logs file to prevent unauthorized + access to the audit log. + rules: + - file_permissions_var_log_audit + status: automated + - id: RHEL-10-400190 + levels: + - medium + title: RHEL 10 must enforce the audit log directory to have a mode of "0750" or less permissive + to prevent unauthorized read access. + rules: + - directory_permissions_var_log_audit + status: automated + - id: RHEL-10-400195 + levels: + - medium + title: RHEL 10 must enforce root ownership of the "/etc/audit/" directory. + rules: + - file_ownership_audit_configuration + status: automated + - id: RHEL-10-400200 + levels: + - medium + title: RHEL 10 must enforce root group ownership of the "/etc/audit/" directory. + rules: + - file_groupownership_audit_configuration + status: automated + - id: RHEL-10-400205 + levels: + - medium + title: RHEL 10 must enforce mode "755" or less permissive for system commands. + rules: + - file_permissions_binary_dirs + status: automated + - id: RHEL-10-400210 + levels: + - medium + title: RHEL 10 must enforce mode "755" or less permissive on library directories. + rules: + - dir_permissions_library_dirs + status: automated + - id: RHEL-10-400215 + levels: + - medium + title: RHEL 10 must enforce mode "755" or less permissive for library files. + rules: + - file_permissions_library_dirs + status: automated + - id: RHEL-10-400220 + levels: + - medium + title: RHEL 10 must enforce mode "0755" or less permissive for the "/var/log" directory. + rules: + - file_permissions_var_log + status: automated + - id: RHEL-10-400225 + levels: + - medium + title: RHEL 10 must enforce mode "0640" or less permissive for the "/var/log/messages" file. + rules: + - file_permissions_var_log_messages + status: automated + - id: RHEL-10-400230 + levels: + - medium + title: RHEL 10 must be configured to prohibit modification of permissions for cron configuration + files and directories from the operating system defaults. + rules: + - file_permissions_cron_d + - file_permissions_cron_daily + - file_permissions_cron_hourly + - file_permissions_cron_monthly + - file_permissions_cron_weekly + - file_permissions_crontab + status: automated + notes: > + TODO: STIG recommends to use rpm to verify that permissions match the operating system defaults. + - id: RHEL-10-400235 + levels: + - medium + title: RHEL 10 must enforce mode "0740" or less permissive for local initialization files. + rules: + - file_permission_user_init_files + - var_user_initialization_files_regex=all_dotfiles + status: automated + - id: RHEL-10-400240 + levels: + - medium + title: RHEL 10 must enforce mode "0750" or less permissive for local interactive user home directories. + rules: + - file_permissions_home_directories + status: automated + - id: RHEL-10-400245 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group" file to prevent + unauthorized access. + rules: + - file_permissions_etc_group + status: automated + - id: RHEL-10-400250 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group-" file to prevent + unauthorized access. + rules: + - file_permissions_backup_etc_group + status: automated + - id: RHEL-10-400255 + levels: + - medium + title: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow" file to prevent + unauthorized access. + rules: + - file_permissions_etc_gshadow + status: automated + - id: RHEL-10-400260 + levels: + - medium + title: RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow-" file to prevent + unauthorized access. + rules: + - file_permissions_backup_etc_gshadow + status: automated + - id: RHEL-10-400265 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for the "/etc/passwd" file to prevent + unauthorized access. + rules: + - file_permissions_etc_passwd + status: automated + - id: RHEL-10-400270 + levels: + - medium + title: RHEL 10 must enforce mode "0644" or less permissive for "/etc/passwd-" file to prevent unauthorized + access. + rules: + - file_permissions_backup_etc_passwd + status: automated + - id: RHEL-10-400275 + levels: + - medium + title: RHEL 10 must enforce mode "0000" or less permissive for "/etc/shadow-" file to prevent unauthorized + access. + rules: + - file_permissions_backup_etc_shadow + status: automated + - id: RHEL-10-400280 + levels: + - medium + title: RHEL 10 must be configured so that a sticky bit is set on all public directories. + rules: + - dir_perms_world_writable_sticky_bits + status: automated + - id: RHEL-10-400285 + levels: + - medium + title: RHEL 10 must be configured so that all local files and directories have a valid group owner. + rules: + - file_permissions_ungroupowned + status: automated + - id: RHEL-10-400290 + levels: + - medium + title: RHEL 10 must be configured so that all local files and directories must have a valid owner. + rules: + - no_files_unowned_by_user + status: automated + - id: RHEL-10-400295 + levels: + - medium + title: RHEL 10 must enforce mode "0000" for "/etc/shadow" to prevent unauthorized access. + rules: + - file_permissions_etc_shadow + status: automated + - id: RHEL-10-400300 + levels: + - medium + title: RHEL 10 must be configured so that audit tools are owned by "root". + rules: + - file_audit_tools_ownership + status: automated + - id: RHEL-10-400305 + levels: + - medium + title: RHEL 10 must be configured so that audit tools are group-owned by "root". + rules: + - file_audit_tools_group_ownership + status: automated + - id: RHEL-10-400310 + levels: + - medium + title: RHEL 10 must set the umask value to "077" for all local interactive user accounts. + rules: + - accounts_umask_interactive_users + - var_accounts_user_umask=077 + status: automated + - id: RHEL-10-400315 + levels: + - medium + title: RHEL 10 must define default permissions for the bash shell. + rules: + - accounts_umask_etc_bashrc + - var_accounts_user_umask=077 + status: automated + - id: RHEL-10-400320 + levels: + - medium + title: RHEL 10 must define default permissions for the c shell. + rules: + - accounts_umask_etc_csh_cshrc + - var_accounts_user_umask=077 + status: automated + - id: RHEL-10-400325 + levels: + - medium + title: RHEL 10 must define default permissions for all authenticated users in such a way that the + user can read and modify only their own files. + rules: + - accounts_umask_etc_login_defs + - var_accounts_user_umask=077 + status: automated + - id: RHEL-10-400330 + levels: + - medium + title: RHEL 10 must define default permissions for the system default profile. + rules: + - accounts_umask_etc_profile + - var_accounts_user_umask=077 + status: automated + - id: RHEL-10-400335 + levels: + - medium + title: RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles + have mode "0600" or less permissive. + rules: + - rootfiles_configured + status: automated + - id: RHEL-10-400340 + levels: + - medium + title: RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host + key files. + rules: + - file_permissions_sshd_private_key + status: automated + - id: RHEL-10-400345 + levels: + - medium + title: RHEL 10 must enforce "root" group ownership of the "/boot/grub2/grub.cfg" file. + rules: + - file_groupowner_grub2_cfg + status: automated + - id: RHEL-10-400350 + levels: + - medium + title: RHEL 10 must enforce "root" ownership of the "/boot/grub2/grub.cfg" file. + rules: + - file_owner_grub2_cfg + status: automated + - id: RHEL-10-400355 + levels: + - medium + title: RHEL 10 must prevent device files from being interpreted on file systems that contain user + home directories. + rules: + - mount_option_home_nodev + status: automated + - id: RHEL-10-400360 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on + file systems that contain user home directories. + rules: + - mount_option_home_nosuid + status: automated + - id: RHEL-10-400365 + levels: + - medium + title: RHEL 10 must prevent code from being executed on file systems that contain user home directories. + rules: + - mount_option_home_noexec + status: automated + - id: RHEL-10-400400 + levels: + - medium + title: RHEL 10 must mount "/var/log/audit" with the "nodev" option. + rules: + - mount_option_var_log_audit_nodev + status: automated + - id: RHEL-10-400405 + levels: + - medium + title: RHEL 10 must mount "/var/log/audit" with the "noexec" option. + rules: + - mount_option_var_log_audit_noexec + status: automated + - id: RHEL-10-400410 + levels: + - medium + title: RHEL 10 must mount "/var/log/audit" with the "nosuid" option. + rules: + - mount_option_var_log_audit_nosuid + status: automated + - id: RHEL-10-400450 + levels: + - medium + title: RHEL 10 must enforce a mode of "0755" or less permissive for audit tools. + rules: + - file_audit_tools_permissions + status: automated + - id: RHEL-10-400500 + levels: + - medium + title: RHEL 10 must prohibit local initialization files from executing world-writable programs. + rules: + - accounts_user_dot_no_world_writable_programs + status: automated + - id: RHEL-10-500000 + levels: + - medium + title: RHEL 10 must enable the systemd-journald service. + rules: + - service_systemd-journald_enabled + status: automated + - id: RHEL-10-500005 + levels: + - medium + title: RHEL 10 must enable auditing of processes that start prior to the audit daemon. + rules: + - grub2_audit_argument + status: automated + - id: RHEL-10-500010 + levels: + - medium + title: RHEL 10 must audit local events. + rules: + - auditd_local_events + status: automated + - id: RHEL-10-500015 + levels: + - medium + title: RHEL 10 must write audit records to disk. + rules: + - auditd_write_logs + status: automated + - id: RHEL-10-500020 + levels: + - medium + title: RHEL 10 must log username information when unsuccessful login attempts occur. + rules: + - accounts_passwords_pam_faillock_audit + status: automated + - id: RHEL-10-500025 + levels: + - medium + title: RHEL 10 must allow only the information system security manager (ISSM) (or individuals or + roles appointed by the ISSM) to select which auditable events are to be audited. + rules: + - file_permissions_etc_audit_auditd + - file_permissions_etc_audit_rulesd + status: automated + - id: RHEL-10-500030 + levels: + - medium + title: RHEL 10 must allocate an "audit_backlog_limit" of sufficient size to capture processes that + start prior to the audit daemon. + rules: + - grub2_audit_backlog_limit_argument + - var_audit_backlog_limit=8192 + status: automated + - id: RHEL-10-500035 + levels: + - medium + title: RHEL 10 must take appropriate action when a critical audit processing failure occurs. + rules: + - audit_rules_system_shutdown + - var_audit_failure_mode=panic + status: automated + - id: RHEL-10-500040 + levels: + - medium + title: RHEL 10 must take action when allocated audit record storage volume reaches 75 percent of + the audit record storage capacity. + rules: + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_percentage + - var_auditd_space_left_action=email + - var_auditd_space_left_percentage=25pc + status: automated + - id: RHEL-10-500045 + levels: + - medium + title: RHEL 10 must label all off-loaded audit logs before sending them to the central log server. + rules: + - auditd_name_format + - var_auditd_name_format=stig + status: automated + - id: RHEL-10-500100 + levels: + - low + title: RHEL 10 must allocate audit record storage capacity to store at least one week's worth of + audit records. + rules: + - auditd_audispd_configure_sufficiently_large_partition + - partition_for_var_log_audit + status: automated + - id: RHEL-10-500105 + levels: + - medium + title: RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of + the audit record storage capacity. + rules: + - auditd_data_retention_admin_space_left_percentage + - var_auditd_admin_space_left_percentage=5pc + status: automated + - id: RHEL-10-500110 + levels: + - medium + title: RHEL 10 must take action when allocated audit record storage volume reaches 95 percent of + the repository maximum audit record storage capacity. + rules: + - auditd_data_retention_admin_space_left_action + - var_auditd_admin_space_left_action=single + status: automated + - id: RHEL-10-500115 + levels: + - medium + title: RHEL 10 must take appropriate action when the internal event queue is full. + rules: + - auditd_overflow_action + status: automated + - id: RHEL-10-500120 + levels: + - medium + title: RHEL 10 must produce audit records containing information to establish the identity of any + individual or process associated with the event. + rules: + - auditd_log_format + status: automated + - id: RHEL-10-500125 + levels: + - medium + title: RHEL 10 must periodically flush audit records to disk to ensure that audit records are not + lost. + rules: + - auditd_freq + - var_auditd_freq=100 + status: automated + - id: RHEL-10-500205 + levels: + - medium + title: RHEL 10 must notify the system administrator (SA) and information system security officer + (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization. + rules: + - auditd_data_retention_space_left_action + - auditd_data_retention_space_left_percentage + - var_auditd_space_left_action=email + - var_auditd_space_left_percentage=25pc + status: automated + - id: RHEL-10-500210 + levels: + - medium + title: RHEL 10 must notify the system administrator (SA) and/or information system security officer + (ISSO) (at a minimum) of an audit processing failure. + rules: + - auditd_data_retention_action_mail_acct + - var_auditd_action_mail_acct=root + status: automated + - id: RHEL-10-500215 + levels: + - medium + title: RHEL 10 must log Secure Shell (SSH) connection attempts and failures to the server. + rules: + - sshd_set_loglevel_verbose + status: automated + - id: RHEL-10-500300 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "execve" + system call. + rules: + - audit_rules_suid_privilege_function + status: automated + - id: RHEL-10-500310 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setxattr", + "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. + rules: + - audit_rules_dac_modification_setxattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_lremovexattr + status: automated + - id: RHEL-10-500320 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of "umount" system + calls. + rules: + - audit_rules_privileged_commands_umount + status: automated + - id: RHEL-10-500330 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chacl" + command. + rules: + - audit_rules_execution_chacl + status: automated + - id: RHEL-10-500340 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setfacl" + command. + rules: + - audit_rules_execution_setfacl + status: automated + - id: RHEL-10-500350 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chcon" + command. + rules: + - audit_rules_execution_chcon + status: automated + - id: RHEL-10-500360 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "semanage" + command. + rules: + - audit_rules_execution_semanage + status: automated + - id: RHEL-10-500370 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setfiles" + command. + rules: + - audit_rules_execution_setfiles + status: automated + - id: RHEL-10-500380 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "setsebool" + command. + rules: + - audit_rules_execution_setsebool + status: automated + - id: RHEL-10-500390 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "truncate", + "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. + rules: + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_open_by_handle_at + status: automated + - id: RHEL-10-500400 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "delete_module" + system call. + rules: + - audit_rules_kernel_module_loading_delete + status: automated + - id: RHEL-10-500410 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "init_module" + and "finit_module" system calls. + rules: + - audit_rules_kernel_module_loading_init + - audit_rules_kernel_module_loading_finit + status: automated + - id: RHEL-10-500420 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chage" + command. + rules: + - audit_rules_privileged_commands_chage + status: automated + - id: RHEL-10-500430 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "chsh" command. + rules: + - audit_rules_privileged_commands_chsh + status: automated + - id: RHEL-10-500440 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "crontab" + command. + rules: + - audit_rules_privileged_commands_crontab + status: automated + - id: RHEL-10-500450 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "gpasswd" + command. + rules: + - audit_rules_privileged_commands_gpasswd + status: automated + - id: RHEL-10-500460 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "kmod" command. + rules: + - audit_rules_privileged_commands_kmod + status: automated + - id: RHEL-10-500470 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "newgrp" + command. + rules: + - audit_rules_privileged_commands_newgrp + status: automated + - id: RHEL-10-500480 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "pam_timestamp_check" + command. + rules: + - audit_rules_privileged_commands_pam_timestamp_check + status: automated + - id: RHEL-10-500490 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "passwd" + command. + rules: + - audit_rules_privileged_commands_passwd + status: automated + - id: RHEL-10-500500 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "postdrop" + command. + rules: + - audit_rules_privileged_commands_postdrop + status: automated + - id: RHEL-10-500510 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "postqueue" + command. + rules: + - audit_rules_privileged_commands_postqueue + status: automated + - id: RHEL-10-500520 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the ssh-agent + command. + rules: + - audit_rules_privileged_commands_ssh_agent + status: automated + - id: RHEL-10-500530 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "ssh-keysign" + command. + rules: + - audit_rules_privileged_commands_ssh_keysign + status: automated + - id: RHEL-10-500540 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "su" command. + rules: + - audit_rules_privileged_commands_su + status: automated + - id: RHEL-10-500550 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "sudo" command. + rules: + - audit_rules_privileged_commands_sudo + status: automated + - id: RHEL-10-500560 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "sudoedit" + command. + rules: + - audit_rules_privileged_commands_sudoedit + status: automated + - id: RHEL-10-500570 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_chkpwd" + command. + rules: + - audit_rules_privileged_commands_unix_chkpwd + status: automated + - id: RHEL-10-500580 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "unix_update" + command. + rules: + - audit_rules_privileged_commands_unix_update + status: automated + - id: RHEL-10-500590 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "userhelper" + command. + rules: + - audit_rules_privileged_commands_userhelper + status: automated + - id: RHEL-10-500600 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "usermod" + command. + rules: + - audit_rules_privileged_commands_usermod + status: automated + - id: RHEL-10-500610 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "mount" + command. + rules: + - audit_rules_media_export + notes: > + Confusing requirement, probably a bug in the DISA STIG - title mentions the + "mount" command but the example audit rule in the check and fixtext isn't + an audit rule watching a command, instead it watches the mount syscall. + The selected rule audit_rules_media_export watches the syscall. If the + command should be watched, the rule audit_rules_privileged_commands_mount + should be selected instead. + status: automated + - id: RHEL-10-500620 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "init" command. + rules: + - audit_privileged_commands_init + status: automated + - id: RHEL-10-500630 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "poweroff" + command. + rules: + - audit_privileged_commands_poweroff + status: automated + - id: RHEL-10-500640 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "reboot" + command. + rules: + - audit_privileged_commands_reboot + status: automated + - id: RHEL-10-500650 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the shutdown + command. + rules: + - audit_privileged_commands_shutdown + status: automated + - id: RHEL-10-500660 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount" + system call. + rules: + - audit_rules_dac_modification_umount + status: automated + - id: RHEL-10-500670 + levels: + - medium + title: RHEL 10 must generate audit records for successful and unsuccessful uses of the "umount2" + system call. + rules: + - audit_rules_dac_modification_umount2 + status: automated + - id: RHEL-10-500680 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/sudoers". + rules: + - audit_rules_sudoers + status: automated + - id: RHEL-10-500690 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect the "/etc/sudoers.d/" directory. + rules: + - audit_rules_sudoers_d + status: automated + - id: RHEL-10-500700 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/group". + rules: + - audit_rules_usergroup_modification_group + status: automated + - id: RHEL-10-500710 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/gshadow". + rules: + - audit_rules_usergroup_modification_gshadow + status: automated + - id: RHEL-10-500720 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/opasswd". + rules: + - audit_rules_usergroup_modification_opasswd + status: automated + - id: RHEL-10-500730 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/passwd". + rules: + - audit_rules_usergroup_modification_passwd + status: automated + - id: RHEL-10-500740 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/etc/shadow". + rules: + - audit_rules_usergroup_modification_shadow + status: automated + - id: RHEL-10-500750 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/var/log/faillock". + rules: + - audit_rules_login_events_faillock + status: automated + - id: RHEL-10-500760 + levels: + - medium + title: RHEL 10 must generate audit records for all account creations, modifications, disabling, + and termination events that affect "/var/log/lastlog". + rules: + - audit_rules_login_events_lastlog + status: automated + - id: RHEL-10-500780 + levels: + - medium + title: RHEL 10 must generate audit records for all uses of the "chmod", "fchmod", "fchmodat", and + "fchmodat2" syscalls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchmodat2 + status: automated + - id: RHEL-10-500790 + levels: + - medium + title: RHEL 10 must generate audit records for all uses of the "chown", "fchown", "fchownat", and + "lchown" syscalls. + rules: + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown + status: automated + - id: RHEL-10-500810 + levels: + - medium + title: RHEL 10 must generate audit records for all uses of the "rename", "unlink", "rmdir", "renameat", + "renameat2", and "unlinkat" system calls. + rules: + - audit_rules_file_deletion_events_rename + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_rmdir + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_renameat2 + - audit_rules_file_deletion_events_unlinkat + status: automated + - id: RHEL-10-600000 + levels: + - medium + title: RHEL 10 must require a boot loader superuser password. + rules: + - grub2_password + status: automated + - id: RHEL-10-600010 + levels: + - medium + title: RHEL 10 must require a unique superusers name upon booting into single-user and maintenance + modes. + rules: + - grub2_admin_username + status: automated + - id: RHEL-10-600020 + levels: + - medium + title: RHEL 10 must not assign an interactive login shell for system accounts. + rules: + - no_shelllogin_for_systemaccounts + status: automated + - id: RHEL-10-600100 + levels: + - medium + title: RHEL 10 must, for new users or password changes, have a 60-day maximum password lifetime + restriction for user account passwords in "/etc/login.defs". + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=60 + status: automated + - id: RHEL-10-600110 + levels: + - medium + title: RHEL 10 must, for user account passwords, have a 60-day maximum password lifetime restriction. + rules: + - accounts_password_set_max_life_existing + - var_accounts_maximum_age_login_defs=60 + status: automated + - id: RHEL-10-600120 + levels: + - medium + title: RHEL 10 must assign a home directory for local interactive user accounts upon creation. + rules: + - accounts_have_homedir_login_defs + status: automated + - id: RHEL-10-600130 + levels: + - medium + title: RHEL 10 must not allow duplicate user IDs (UIDs) to exist for interactive users. + rules: + - account_unique_id + status: automated + - id: RHEL-10-600140 + levels: + - medium + title: RHEL 10 must automatically expire temporary accounts within 72 hours. + rules: + - account_temp_expire_date + status: automated + - id: RHEL-10-600150 + levels: + - medium + title: RHEL 10 must assign a primary group to all interactive users. + rules: + - gid_passwd_group_same + status: automated + - id: RHEL-10-600160 + levels: + - medium + title: RHEL 10 must disable account identifiers (individuals, groups, roles, and devices) after + 35 days of inactivity. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=35 + status: automated + - id: RHEL-10-600170 + levels: + - medium + title: RHEL 10 must be configured so that all local interactive user initialization file executable + search path statements do not contain statements that will reference a working directory other + than user home directories. + rules: + - accounts_user_home_paths_only + status: automated + - id: RHEL-10-600180 + levels: + - medium + title: RHEL 10 must assign a home directory to all local interactive users in the "/etc/passwd" + file. + rules: + - accounts_user_interactive_home_directory_defined + status: automated + - id: RHEL-10-600190 + levels: + - medium + title: RHEL 10 must ensure that all local interactive user home directories defined in the "/etc/passwd" + file must exist. + rules: + - accounts_user_interactive_home_directory_exists + status: automated + - id: RHEL-10-600200 + levels: + - medium + title: RHEL 10 must enforce a delay of at least four seconds between login prompts following a + failed login attempt. + rules: + - accounts_logon_fail_delay + - var_accounts_fail_delay=4 + status: automated + - id: RHEL-10-600210 + levels: + - medium + title: RHEL 10 must enforce a 24-hours minimum password lifetime restriction for passwords for + new users or password changes in "/etc/login.defs". + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=1 + status: automated + - id: RHEL-10-600220 + levels: + - medium + title: RHEL 10 must enforce that passwords be created with a minimum of 15 characters. + rules: + - accounts_password_pam_minlen + - var_password_pam_minlen=15 + status: automated + - id: RHEL-10-600230 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring at least one special character to + be used. + rules: + - accounts_password_pam_ocredit + - var_password_pam_ocredit=1 + status: automated + - id: RHEL-10-600240 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring that at least one lowercase character + be used. + rules: + - accounts_password_pam_lcredit + - var_password_pam_lcredit=1 + status: automated + - id: RHEL-10-600250 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring that at least one uppercase character + be used. + rules: + - accounts_password_pam_ucredit + - var_password_pam_ucredit=1 + status: automated + - id: RHEL-10-600260 + levels: + - medium + title: RHEL 10 must require the change of at least eight characters when passwords are changed. + rules: + - accounts_password_pam_difok + - var_password_pam_difok=8 + status: automated + - id: RHEL-10-600270 + levels: + - medium + title: RHEL 10 must enforce that passwords have a 24 hours/1 day minimum lifetime restriction in + "/etc/shadow". + rules: + - accounts_password_set_min_life_existing + - var_accounts_minimum_age_login_defs=1 + status: automated + - id: RHEL-10-600280 + levels: + - medium + title: RHEL 10 must require the maximum number of repeating characters of the same character class + to be limited to four when passwords are changed. + rules: + - accounts_password_pam_maxclassrepeat + - var_password_pam_maxclassrepeat=4 + status: automated + - id: RHEL-10-600290 + levels: + - medium + title: RHEL 10 must require that the maximum number of repeating characters be limited to three + when passwords are changed. + rules: + - accounts_password_pam_maxrepeat + - var_password_pam_maxrepeat=3 + status: automated + - id: RHEL-10-600300 + levels: + - medium + title: RHEL 10 must require the change of at least four character classes when passwords are changed. + rules: + - accounts_password_pam_minclass + - var_password_pam_minclass=4 + status: automated + - id: RHEL-10-600310 + levels: + - medium + title: RHEL 10 must enforce password complexity by requiring that at least one numeric character + be used. + rules: + - accounts_password_pam_dcredit + - var_password_pam_dcredit=1 + status: automated + - id: RHEL-10-600320 + levels: + - medium + title: RHEL 10 must prevent the use of dictionary words for passwords. + rules: + - accounts_password_pam_dictcheck + status: automated + - id: RHEL-10-600400 + levels: + - medium + title: RHEL 10 must allow only the root account to have unrestricted access to the system. + rules: + - accounts_no_uid_except_zero + status: automated + - id: RHEL-10-600405 + levels: + - medium + title: RHEL 10 must enforce password complexity rules for the "root" account. + rules: + - accounts_password_pam_enforce_root + status: automated + - id: RHEL-10-600410 + levels: + - medium + title: RHEL 10 must automatically lock an account when three unsuccessful login attempts occur. + rules: + - accounts_passwords_pam_faillock_deny + - var_accounts_passwords_pam_faillock_deny=3 + status: automated + - id: RHEL-10-600415 + levels: + - medium + title: RHEL 10 must automatically lock the root account until the root account is released by an + administrator when three unsuccessful login attempts occur during a 15-minute time period. + rules: + - accounts_passwords_pam_faillock_deny_root + status: automated + - id: RHEL-10-600420 + levels: + - medium + title: RHEL 10 must automatically lock an account when three unsuccessful login attempts occur + during a 15-minute time period. + rules: + - accounts_passwords_pam_faillock_interval + - var_accounts_passwords_pam_faillock_fail_interval=900 + status: automated + - id: RHEL-10-600425 + levels: + - medium + title: RHEL 10 must maintain an account lock until the locked account is released by an administrator. + rules: + - accounts_passwords_pam_faillock_unlock_time + - var_accounts_passwords_pam_faillock_unlock_time=never + status: automated + - id: RHEL-10-600430 + levels: + - medium + title: RHEL 10 must ensure account lockouts persist. + rules: + - accounts_passwords_pam_faillock_dir + status: automated + - id: RHEL-10-600450 + levels: + - medium + title: RHEL 10 must not have unauthorized accounts. + rules: + - accounts_authorized_local_users + - var_accounts_authorized_local_users_regex=rhel9 + status: automated + notes: > + TODO: create a RHEL 10 option in the var_accounts_authorized_local_users_regex variable + - id: RHEL-10-600455 + levels: + - medium + title: RHEL 10 must not allow blank or null passwords. + rules: + - no_empty_passwords + status: automated + - id: RHEL-10-600460 + levels: + - medium + title: RHEL 10 must not have accounts configured with blank or null passwords. + rules: + - no_empty_passwords_etc_shadow + status: automated + - id: RHEL-10-600470 + levels: + - medium + title: RHEL 10 must have a unique group ID (GID) for each group in "/etc/group". + rules: + - group_unique_id + status: automated + - id: RHEL-10-600475 + levels: + - low + title: RHEL 10 must limit the number of concurrent sessions to 10 for all accounts and/or account + types. + rules: + - accounts_max_concurrent_login_sessions + - var_accounts_max_concurrent_login_sessions=10 + status: automated + - id: RHEL-10-600485 + levels: + - medium + title: RHEL 10 must ensure the password complexity module in the system-auth file is configured + for three or fewer retries. + rules: + - accounts_password_pam_pwquality_retry + - var_password_pam_retry=3 + status: automated + - id: RHEL-10-600500 + levels: + - medium + title: RHEL 10 must restrict the use of the "su" command. + rules: + - use_pam_wheel_for_su + status: automated + - id: RHEL-10-600510 + levels: + - medium + title: RHEL 10 must be configured to not bypass password requirements for privilege escalation. + rules: + - disallow_bypass_password_sudo + status: automated + - id: RHEL-10-600520 + levels: + - medium + title: RHEL 10 must restrict privilege elevation to authorized personnel. + rules: + - sudo_restrict_privilege_elevation_to_authorized + status: automated + - id: RHEL-10-600530 + levels: + - medium + title: RHEL 10 must require users to reauthenticate for privilege escalation. + rules: + - sudo_remove_no_authenticate + status: automated + - id: RHEL-10-600540 + levels: + - medium + title: RHEL 10 must require reauthentication when using the "sudo" command. + rules: + - sudo_require_reauthentication + - var_sudo_timestamp_timeout=always_prompt + status: automated + - id: RHEL-10-600550 + levels: + - medium + title: RHEL 10 must use the invoking user's password for privilege escalation when using "sudo". + rules: + - sudoers_validate_passwd + status: automated + - id: RHEL-10-600560 + levels: + - high + title: RHEL 10 must require users to provide a password for privilege escalation. + rules: + - sudo_remove_nopasswd + status: automated + - id: RHEL-10-600600 + levels: + - medium + title: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/system-auth" + file. + rules: + - account_password_pam_faillock_system_auth + status: automated + - id: RHEL-10-600610 + levels: + - medium + title: RHEL 10 must configure the use of the pam_faillock.so module in the "/etc/pam.d/password-auth" + file. + rules: + - account_password_pam_faillock_password_auth + status: automated + - id: RHEL-10-600620 + levels: + - medium + title: RHEL 10 must ensure the password complexity module is enabled in the "password-auth" file. + rules: + - accounts_password_pam_pwquality_password_auth + status: automated + - id: RHEL-10-600630 + levels: + - medium + title: RHEL 10 must ensure the password complexity module is enabled in the "system-auth" file. + rules: + - accounts_password_pam_pwquality_system_auth + status: automated + - id: RHEL-10-600640 + levels: + - high + title: RHEL 10 must enable the Pluggable Authentication Module (PAM) interface for SSHD. + rules: + - sshd_enable_pam + status: automated + - id: RHEL-10-600650 + levels: + - medium + title: RHEL 10 must ensure that the pam_unix.so module is configured in the password-auth file + to use a FIPS 140-3-approved cryptographic hashing algorithm for system authentication. + rules: + - set_password_hashing_algorithm_passwordauth + - var_password_hashing_algorithm_pam=sha512 + status: automated + - id: RHEL-10-600700 + levels: + - medium + title: RHEL 10 must be configured to use a sufficient number of hashing rounds for the shadow password + suite. + rules: + - accounts_password_pam_unix_rounds_system_auth + - var_password_pam_unix_rounds=100000 + status: automated + - id: RHEL-10-600710 + levels: + - medium + title: RHEL 10 must be configured to use a FIPS 140-3-approved cryptographic hashing algorithm + for system authentication by ensuring that the pam_unix.so module is configured in the "system-auth" + file. + rules: + - set_password_hashing_algorithm_systemauth + - var_password_hashing_algorithm_pam=sha512 + status: automated + - id: RHEL-10-600720 + levels: + - medium + title: RHEL 10 must be configured so that password-auth uses a sufficient number of hashing rounds. + rules: + - accounts_password_pam_unix_rounds_password_auth + - var_password_pam_unix_rounds=100000 + status: automated + - id: RHEL-10-600730 + levels: + - high + title: RHEL 10 must employ FIPS 140-3-approved cryptographic hashing algorithms for all stored + passwords. + rules: + - accounts_password_all_shadowed_sha512 + status: automated + - id: RHEL-10-600740 + levels: + - high + title: RHEL 10 must be configured to use the shadow file to store only encrypted representations + of passwords. + rules: + - set_password_hashing_algorithm_logindefs + - var_password_hashing_algorithm=SHA512 + status: automated + - id: RHEL-10-600750 + levels: + - high + title: RHEL 10 must be configured so that user and group account administration utilities are configured + to store only encrypted representations of passwords. + rules: + - set_password_hashing_algorithm_libuserconf + - var_password_hashing_algorithm_pam=sha512 + status: automated + - id: RHEL-10-700010 + levels: + - medium + title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting + local or remote access to the system via a Secure Shell (SSH) login. + rules: + - sshd_enable_warning_banner + status: automated + - id: RHEL-10-700020 + levels: + - medium + title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting + local or remote access to the system via a graphical user login. + rules: + - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default + status: automated + - id: RHEL-10-700030 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the banner-message-enable setting for the graphical + user interface. + rules: + - dconf_gnome_banner_enabled + status: automated + - id: RHEL-10-700040 + levels: + - medium + title: RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting + local or remote access to the system via a command line user login. + rules: + - banner_etc_issue + - login_banner_text=dod_banners + - login_banner_contents=dod_default + status: automated + - id: RHEL-10-700100 + levels: + - medium + title: RHEL 10 must prevent special devices on file systems that are imported via Network File + System (NFS). + rules: + - mount_option_nodev_remote_filesystems + status: automated + - id: RHEL-10-700105 + levels: + - medium + title: RHEL 10 must prevent code from being executed on file systems that are imported via Network + File System (NFS). + rules: + - mount_option_noexec_remote_filesystems + status: automated + - id: RHEL-10-700110 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on + file systems that are imported via Network File System (NFS). + rules: + - mount_option_nosuid_remote_filesystems + status: automated + - id: RHEL-10-700115 + levels: + - medium + title: RHEL 10 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. + rules: + - mount_option_krb_sec_remote_filesystems + status: automated + - id: RHEL-10-700120 + levels: + - medium + title: RHEL 10 must mount "/boot" with the "nodev" option. + rules: + - mount_option_boot_nodev + status: automated + - id: RHEL-10-700125 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on + the "/boot" directory. + rules: + - mount_option_boot_nosuid + status: automated + - id: RHEL-10-700130 + levels: + - medium + title: RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on + the "/boot/efi" directory. + rules: + - mount_option_boot_efi_nosuid + status: automated + - id: RHEL-10-700135 + levels: + - medium + title: RHEL 10 must mount "/dev/shm" with the "nodev" option. + rules: + - mount_option_dev_shm_nodev + status: automated + - id: RHEL-10-700140 + levels: + - medium + title: RHEL 10 must mount "/dev/shm" with the "noexec" option. + rules: + - mount_option_dev_shm_noexec + status: automated + - id: RHEL-10-700145 + levels: + - medium + title: RHEL 10 must mount "/dev/shm" with the "nosuid" option. + rules: + - mount_option_dev_shm_nosuid + status: automated + - id: RHEL-10-700150 + levels: + - medium + title: RHEL 10 must mount "/tmp" with the "nodev" option. + rules: + - mount_option_tmp_nodev + status: automated + - id: RHEL-10-700155 + levels: + - medium + title: RHEL 10 must mount "/tmp" with the "noexec" option. + rules: + - mount_option_tmp_noexec + status: automated + - id: RHEL-10-700160 + levels: + - medium + title: RHEL 10 must mount "/tmp" with the "nosuid" option. + rules: + - mount_option_tmp_nosuid + status: automated + - id: RHEL-10-700165 + levels: + - medium + title: RHEL 10 must mount "/var" with the "nodev" option. + rules: + - mount_option_var_nodev + status: automated + - id: RHEL-10-700170 + levels: + - medium + title: RHEL 10 must mount "/var/log" with the "nodev" option. + rules: + - mount_option_var_log_nodev + status: automated + - id: RHEL-10-700175 + levels: + - medium + title: RHEL 10 must mount "/var/log" with the "noexec" option. + rules: + - mount_option_var_log_noexec + status: automated + - id: RHEL-10-700180 + levels: + - medium + title: RHEL 10 must mount "/var/log" with the "nosuid" option. + rules: + - mount_option_var_log_nosuid + status: automated + - id: RHEL-10-700185 + levels: + - medium + title: RHEL 10 must mount "/var/tmp" with the "nodev" option. + rules: + - mount_option_var_tmp_nodev + status: automated + - id: RHEL-10-700190 + levels: + - medium + title: RHEL 10 must mount "/var/tmp" with the "noexec" option. + rules: + - mount_option_var_tmp_noexec + status: automated + - id: RHEL-10-700195 + levels: + - medium + title: RHEL 10 must mount "/var/tmp" with the "nosuid" option. + rules: + - mount_option_var_tmp_nosuid + status: automated + - id: RHEL-10-700200 + levels: + - medium + title: RHEL 10 must prevent special devices on nonroot local partitions. + rules: + - mount_option_nodev_nonroot_local_partitions + status: automated + - id: RHEL-10-700400 + levels: + - medium + title: RHEL 10 must enable the SELinux targeted policy. + rules: + - selinux_policytype + - var_selinux_policy_name=targeted + status: automated + - id: RHEL-10-700410 + levels: + - medium + title: RHEL 10 must elevate the SELinux context when an administrator calls the sudo command. + rules: + - selinux_context_elevation_for_sudo + status: automated + - id: RHEL-10-700420 + levels: + - medium + title: RHEL 10 must use a Linux Security Module configured to enforce limits on system services. + rules: + - selinux_state + - var_selinux_state=enforcing + status: automated + - id: RHEL-10-700430 + levels: + - medium + title: RHEL 10 must configure SELinux context type to allow the use of a nondefault faillock tally + directory. + rules: + - account_password_selinux_faillock_dir + status: automated + - id: RHEL-10-700500 + levels: + - medium + title: RHEL 10 must be configured so that Secure Shell (SSH) public host key files have mode "0644" + or less permissive. + rules: + - file_permissions_sshd_pub_key + status: automated + - id: RHEL-10-700510 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic + Security Service Application Program Interface (GSSAPI) authentication. + rules: + - sshd_disable_gssapi_auth + status: automated + - id: RHEL-10-700520 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Kerberos + authentication. + rules: + - sshd_disable_kerb_auth + status: automated + - id: RHEL-10-700530 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow rhosts authentication. + rules: + - sshd_disable_rhosts + status: automated + - id: RHEL-10-700540 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow known hosts + authentication. + rules: + - sshd_disable_user_known_hosts + status: automated + - id: RHEL-10-700550 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon disables remote X connections + for interactive users. + rules: + - sshd_disable_x11_forwarding + status: automated + - id: RHEL-10-700560 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon performs strict mode checking + of home directory configuration files. + rules: + - sshd_enable_strictmodes + status: automated + - id: RHEL-10-700570 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon displays the date and time + of the last successful account login upon an SSH login. + rules: + - sshd_print_last_log + status: automated + - id: RHEL-10-700580 + levels: + - medium + title: RHEL 10 must be configured so that the Secure Shell (SSH) daemon prevents remote hosts from + connecting to the proxy display. + rules: + - sshd_x11_use_localhost + status: automated + - id: RHEL-10-700590 + levels: + - medium + title: RHEL 10 must be configured so that Secure Shell (SSH) server configuration files' permissions + are not modified. + rules: + - file_permissions_sshd_config + - directory_permissions_sshd_config_d + - file_permissions_sshd_drop_in_config + notes: > + TODO: STIG recommends to use rpm to verify the permissions. + status: automated + - id: RHEL-10-700600 + levels: + - medium + title: RHEL 10 must be configured so that SSHD accepts public key authentication. + rules: + - sshd_enable_pubkey_auth + status: automated + - id: RHEL-10-700610 + levels: + - medium + title: RHEL 10 must be configured so that SSHD does not allow blank passwords. + rules: + - sshd_disable_empty_passwords + status: automated + - id: RHEL-10-700620 + levels: + - medium + title: RHEL 10 must not permit direct logins to the root account using remote access via Secure + Shell (SSH). + rules: + - sshd_disable_root_login + status: automated + - id: RHEL-10-700630 + levels: + - medium + title: RHEL 10 must not allow a noncertificate trusted host Secure Shell (SSH) login to the system. + rules: + - disable_host_auth + status: automated + - id: RHEL-10-700640 + levels: + - high + title: RHEL 10 must not allow users to override Secure Shell (SSH) environment variables. + rules: + - sshd_do_not_permit_user_env + status: automated + - id: RHEL-10-700650 + levels: + - high + title: RHEL 10 must force a frequent session key renegotiation for Secure Shell (SSH) connections + to the server. + rules: + - sshd_rekey_limit + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + status: automated + - id: RHEL-10-700660 + levels: + - medium + title: RHEL 10 must be configured so that all network connections associated with Secure Shell + (SSH) traffic terminate after becoming unresponsive. + rules: + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + status: automated + - id: RHEL-10-700670 + levels: + - medium + title: RHEL 10 must forward mail from postmaster to the root account using a postfix alias. + rules: + - postfix_client_configure_mail_alias_postmaster + status: automated + - id: RHEL-10-700680 + levels: + - medium + title: RHEL 10 must not have a "shosts.equiv" file on the system. + rules: + - no_host_based_files + status: automated + - id: RHEL-10-700690 + levels: + - medium + title: RHEL 10 must not have any ".shosts" files on the system. + rules: + - no_user_host_based_files + status: automated + - id: RHEL-10-700700 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disabling of the graphical user interface + automount function. + rules: + - dconf_gnome_disable_automount_open + status: automated + - id: RHEL-10-700710 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disabling of the graphical user interface + autorun function. + rules: + - dconf_gnome_disable_autorun + status: automated + - id: RHEL-10-700720 + levels: + - high + title: RHEL 10 must not allow unattended or automatic login via the graphical user interface. + rules: + - gnome_gdm_disable_automatic_login + status: automated + - id: RHEL-10-700730 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disabling of the graphical user smart card + removal action. + rules: + - dconf_gnome_lock_screen_on_smartcard_removal + status: automated + - id: RHEL-10-700740 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the screensaver lock-enabled setting for the + graphical user interface. + rules: + - dconf_gnome_screensaver_lock_enabled + - dconf_gnome_screensaver_lock_locked + status: automated + - id: RHEL-10-700750 + levels: + - medium + title: RHEL 10 must automatically lock graphical user sessions after 15 minutes of inactivity. + rules: + - dconf_gnome_screensaver_idle_delay + - inactivity_timeout_value=15_minutes + status: automated + - id: RHEL-10-700760 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the session idle-delay setting for the graphical + user interface. + rules: + - dconf_gnome_session_idle_user_locks + status: automated + - id: RHEL-10-700770 + levels: + - medium + title: RHEL 10 must initiate a session lock for graphical user interfaces when the screensaver + is activated. + rules: + - dconf_gnome_screensaver_lock_delay + - var_screensaver_lock_delay=5_seconds + status: automated + - id: RHEL-10-700780 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the session lock-delay setting for the graphical + user interface. + rules: + - dconf_gnome_screensaver_user_locks + status: automated + - id: RHEL-10-700790 + levels: + - medium + title: RHEL 10 must conceal, via the session lock, information previously visible on the display + with a publicly viewable image. + rules: + - dconf_gnome_screensaver_mode_blank + status: automated + - id: RHEL-10-700800 + levels: + - medium + title: RHEL 10 must ensure effective dconf policy matches the policy keyfiles. + rules: + - dconf_db_up_to_date + status: automated + - id: RHEL-10-700810 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the disable-restart-buttons setting for the + graphical user interface. + rules: + - dconf_gnome_disable_restart_shutdown + status: automated + - id: RHEL-10-700820 + levels: + - medium + title: RHEL 10 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical + user interface. + rules: + - dconf_gnome_disable_ctrlaltdel_reboot + status: automated + - id: RHEL-10-700830 + levels: + - medium + title: RHEL 10 must disable the ability of a user to accidentally press Ctrl-Alt-Del and cause + a system to shut down or reboot. + rules: + - disable_ctrlaltdel_reboot + status: automated + - id: RHEL-10-700840 + levels: + - medium + title: RHEL 10 must disable the user list at login for graphical user interfaces. + rules: + - dconf_gnome_disable_user_list + status: automated + - id: RHEL-10-700850 + levels: + - medium + title: RHEL 10 must be configured to disable USB mass storage. + rules: + - kernel_module_usb-storage_disabled + status: automated + - id: RHEL-10-700860 + levels: + - medium + title: RHEL 10 must disable Bluetooth. + rules: + - kernel_module_bluetooth_disabled + status: automated + - id: RHEL-10-700870 + levels: + - medium + title: RHEL 10 must disable wireless network adapters. + rules: + - wireless_disable_interfaces + status: automated + - id: RHEL-10-700880 + levels: + - medium + title: RHEL 10 must disable the graphical user interface automounter unless required. + rules: + - dconf_gnome_disable_automount_open + status: automated + - id: RHEL-10-700890 + levels: + - low + title: RHEL 10 must disable the graphical user interface autorunner unless required. + rules: + - dconf_gnome_disable_autorun + status: automated + - id: RHEL-10-700900 + levels: + - medium + title: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution. + rules: + - bios_enable_execution_restrictions + status: automated + - id: RHEL-10-700920 + levels: + - medium + title: RHEL 10 must automatically exit interactive command shell user sessions after 15 minutes + of inactivity. + rules: + - accounts_tmout + - var_accounts_tmout=15_min + status: automated + - id: RHEL-10-700930 + levels: + - medium + title: RHEL 10 must be configured with a timeout interval for the Secure Shell (SSH) daemon. + rules: + - sshd_set_idle_timeout + - sshd_idle_timeout_value=10_minutes + status: automated + - id: RHEL-10-700940 + levels: + - medium + title: RHEL 10 must not default to the graphical display manager unless approved. + rules: + - xwindows_runlevel_target + status: automated + - id: RHEL-10-700950 + levels: + - high + title: RHEL 10 must disable the systemd Ctrl-Alt-Delete burst key sequence. + rules: + - disable_ctrlaltdel_burstaction + status: automated + - id: RHEL-10-700960 + levels: + - high + title: RHEL 10 must disable the x86 Ctrl-Alt-Delete key sequence. + rules: + - disable_ctrlaltdel_reboot + status: automated + - id: RHEL-10-700980 + levels: + - medium + title: RHEL 10 must disable the ability of systemd to spawn an interactive boot process. + rules: + - grub2_disable_interactive_boot + status: automated + - id: RHEL-10-700990 + levels: + - medium + title: RHEL 10 must disable virtual system calls. + rules: + - grub2_vsyscall_argument + status: automated + - id: RHEL-10-701000 + levels: + - medium + title: RHEL 10 must clear the page allocator to prevent use-after-free attacks. + rules: + - grub2_page_poison_argument + status: automated + - id: RHEL-10-701010 + levels: + - medium + title: RHEL 10 must clear memory when it is freed to prevent use-after-free attacks. + rules: + - grub2_init_on_free + status: automated + - id: RHEL-10-701020 + levels: + - medium + title: RHEL 10 must enable mitigations against processor-based vulnerabilities. + rules: + - grub2_pti_argument + status: automated + - id: RHEL-10-701030 + levels: + - medium + title: RHEL 10 must restrict access to the kernel message buffer. + rules: + - sysctl_kernel_dmesg_restrict + status: automated + - id: RHEL-10-701040 + levels: + - medium + title: RHEL 10 must prevent kernel profiling by nonprivileged users. + rules: + - sysctl_kernel_perf_event_paranoid + status: automated + - id: RHEL-10-701050 + levels: + - high + title: RHEL 10 must prevent the loading of a new kernel for later execution. + rules: + - sysctl_kernel_kexec_load_disabled + status: automated + - id: RHEL-10-701060 + levels: + - medium + title: RHEL 10 must restrict exposed kernel pointer address access. + rules: + - sysctl_kernel_kptr_restrict + status: automated + - id: RHEL-10-701070 + levels: + - medium + title: RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks. + rules: + - sysctl_fs_protected_hardlinks + status: automated + - id: RHEL-10-701080 + levels: + - medium + title: RHEL 10 must enable kernel parameters to enforce discretionary access control (DAC) on symlinks. + rules: + - sysctl_fs_protected_symlinks + status: automated + - id: RHEL-10-701090 + levels: + - medium + title: RHEL 10 must disable the "kernel.core_pattern". + rules: + - sysctl_kernel_core_pattern + status: automated + - id: RHEL-10-701100 + levels: + - medium + title: RHEL 10 must be configured to disable the Controller Area Network (CAN) kernel module. + rules: + - kernel_module_can_disabled + status: automated + - id: RHEL-10-701110 + levels: + - medium + title: RHEL 10 must disable the Stream Control Transmission Protocol (SCTP) kernel module. + rules: + - kernel_module_sctp_disabled + status: automated + - id: RHEL-10-701120 + levels: + - medium + title: RHEL 10 must disable the Transparent Inter Process Communication (TIPC) kernel module. + rules: + - kernel_module_tipc_disabled + status: automated + - id: RHEL-10-701130 + levels: + - medium + title: RHEL 10 must implement address space layout randomization (ASLR) to protect its memory from + unauthorized code execution. + rules: + - sysctl_kernel_randomize_va_space + status: automated + - id: RHEL-10-701140 + levels: + - medium + title: RHEL 10 must restrict usage of ptrace to descendant processes. + rules: + - sysctl_kernel_yama_ptrace_scope + status: automated + - id: RHEL-10-701150 + levels: + - medium + title: RHEL 10 must disable core dump backtraces. + rules: + - coredump_disable_backtraces + status: automated + - id: RHEL-10-701160 + levels: + - medium + title: RHEL 10 must disable storing core dumps. + rules: + - coredump_disable_storage + status: automated + - id: RHEL-10-701170 + levels: + - medium + title: RHEL 10 must disable core dumps for all users. + rules: + - disable_users_coredumps + status: automated + - id: RHEL-10-701180 + levels: + - medium + title: RHEL 10 must disable acquiring, saving, and processing core dumps. + rules: + - service_systemd-coredump_disabled + status: automated + - id: RHEL-10-701190 + levels: + - medium + title: RHEL 10 must implement nonexecutable data to protect its memory from unauthorized code execution. + rules: + - sysctl_kernel_exec_shield + status: automated + - id: RHEL-10-701200 + levels: + - medium + title: RHEL 10 must disable the kdump service. + rules: + - service_kdump_disabled + status: automated + - id: RHEL-10-701210 + levels: + - medium + title: RHEL 10 must disable file system automount function unless required. + rules: + - service_autofs_disabled + status: automated + - id: RHEL-10-701220 + levels: + - medium + title: RHEL 10 must enable certificate-based smart card authentication. + rules: + - sssd_enable_smartcards + status: automated + - id: RHEL-10-701230 + levels: + - medium + title: RHEL 10 must implement certificate status checking for multifactor authentication. + rules: + - sssd_certificate_verification + - var_sssd_certificate_verification_digest_function=sha512 + status: automated + - id: RHEL-10-701240 + levels: + - medium + title: RHEL 10 must, for PKI-based authentication, enforce authorized access to the corresponding + private key. + rules: + - ssh_keys_passphrase_protected + status: automated + - id: RHEL-10-701250 + levels: + - medium + title: RHEL 10 must require authentication to access emergency mode. + rules: + - require_emergency_target_auth + status: automated + - id: RHEL-10-701260 + levels: + - medium + title: RHEL 10 must require authentication to access single-user mode. + rules: + - require_singleuser_auth + status: automated + - id: RHEL-10-701270 + levels: + - medium + title: RHEL 10 must, for PKI-based authentication, validate certificates by constructing a certification + path (which includes status information) to an accepted trust anchor. + rules: + - sssd_has_trust_anchor + status: automated + - id: RHEL-10-701280 + levels: + - medium + title: RHEL 10 must map the authenticated identity to the user or group account for public key + infrastructure (PKI)-based authentication. + rules: + - sssd_enable_certmap + status: automated + - id: RHEL-10-701290 + levels: + - medium + title: RHEL 10 must prohibit the use of cached authenticators after one day. + rules: + - sssd_offline_cred_expiration + status: automated + - id: RHEL-10-800000 + levels: + - medium + title: RHEL 10 must control remote access methods. + rules: + - configure_firewalld_ports + status: automated + - id: RHEL-10-800010 + levels: + - medium + title: RHEL 10 must be configured to prohibit or restrict the use of functions, ports, protocols, + and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category + Assignments List (CAL) and vulnerability assessments. + rules: + - firewalld_sshd_port_enabled + status: automated + - id: RHEL-10-800020 + levels: + - medium + title: RHEL 10 must enforce that network interfaces not be in promiscuous mode. + rules: + - network_sniffer_disabled + status: automated + - id: RHEL-10-800030 + levels: + - medium + title: RHEL 10 must disable access to the network bpf system call from nonprivileged processes. + rules: + - sysctl_kernel_unprivileged_bpf_disabled + status: automated + - id: RHEL-10-800040 + levels: + - medium + title: RHEL 10 must securely compare internal information system clocks at least every 24 hours. + rules: + - chronyd_or_ntpd_set_maxpoll + - chronyd_server_directive + - chronyd_specify_remote_server + - var_multiple_time_servers=stig + - var_time_service_set_maxpoll=18_hours + status: automated + - id: RHEL-10-800050 + levels: + - medium + title: RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler. + rules: + - sysctl_net_core_bpf_jit_harden + status: automated + - id: RHEL-10-800060 + levels: + - medium + title: RHEL 10 must have at least two name servers configured for systems using Domain Name Server + (DNS) resolution. + rules: + - network_configure_name_resolution + status: automated + - id: RHEL-10-800070 + levels: + - medium + title: RHEL 10 must not have unauthorized IP tunnels configured. + rules: + - libreswan_approved_tunnels + status: automated + - id: RHEL-10-800080 + levels: + - medium + title: RHEL 10 must be configured to use Transmission Control Protocol (TCP) syncookies. + rules: + - sysctl_net_ipv4_tcp_syncookies + status: automated + - id: RHEL-10-800090 + levels: + - medium + title: RHEL 10 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol + (ICMP) redirect messages. + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + status: automated + - id: RHEL-10-800100 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets. + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + status: automated + - id: RHEL-10-800110 + levels: + - medium + title: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses. + rules: + - sysctl_net_ipv4_conf_all_log_martians + status: automated + - id: RHEL-10-800120 + levels: + - medium + title: RHEL 10 must log Internet Protocol version 4 (IPv4) packets with impossible addresses by + default. + rules: + - sysctl_net_ipv4_conf_default_log_martians + status: automated + - id: RHEL-10-800130 + levels: + - medium + title: RHEL 10 must use reverse path filtering on all Internet Protocol version 4 (IPv4) interfaces. + rules: + - sysctl_net_ipv4_conf_all_rp_filter + status: automated + - id: RHEL-10-800140 + levels: + - medium + title: RHEL 10 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol + (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv4_conf_default_accept_redirects + status: automated + - id: RHEL-10-800150 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. + rules: + - sysctl_net_ipv4_conf_default_accept_source_route + status: automated + - id: RHEL-10-800160 + levels: + - medium + title: RHEL 10 must use a reverse-path filter for Internet Protocol version 4 (IPv4) network traffic + when possible by default. + rules: + - sysctl_net_ipv4_conf_default_rp_filter + status: automated + - id: RHEL-10-800170 + levels: + - medium + title: RHEL 10 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast + address. + rules: + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + status: automated + - id: RHEL-10-800180 + levels: + - medium + title: RHEL 10 must limit the number of bogus Internet Control Message Protocol (ICMP) response + errors logs. + rules: + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + status: automated + - id: RHEL-10-800190 + levels: + - medium + title: RHEL 10 must not send Internet Control Message Protocol (ICMP) redirects. + rules: + - sysctl_net_ipv4_conf_all_send_redirects + status: automated + - id: RHEL-10-800200 + levels: + - medium + title: RHEL 10 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects + by default. + rules: + - sysctl_net_ipv4_conf_default_send_redirects + status: automated + - id: RHEL-10-800210 + levels: + - medium + title: RHEL 10 must not enable Internet Protocol version 4 (IPv4) packet forwarding unless the + system is a router. + rules: + - sysctl_net_ipv4_conf_all_forwarding + status: automated + - id: RHEL-10-800220 + levels: + - medium + title: RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) + interfaces. + rules: + - sysctl_net_ipv6_conf_all_accept_ra + status: automated + - id: RHEL-10-800230 + levels: + - medium + title: RHEL 10 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. + rules: + - sysctl_net_ipv6_conf_all_accept_redirects + status: automated + - id: RHEL-10-800240 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets. + rules: + - sysctl_net_ipv6_conf_all_accept_source_route + status: automated + - id: RHEL-10-800250 + levels: + - medium + title: RHEL 10 must not enable Internet Protocol version 6 (IPv6) packet forwarding unless the + system is a router. + rules: + - sysctl_net_ipv6_conf_all_forwarding + status: automated + - id: RHEL-10-800260 + levels: + - medium + title: RHEL 10 must not accept router advertisements on all Internet Protocol version 6 (IPv6) + interfaces by default. + rules: + - sysctl_net_ipv6_conf_default_accept_ra + status: automated + - id: RHEL-10-800270 + levels: + - medium + title: RHEL 10 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol + (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv6_conf_default_accept_redirects + status: automated + - id: RHEL-10-800280 + levels: + - medium + title: RHEL 10 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. + rules: + - sysctl_net_ipv6_conf_default_accept_source_route + status: automated + - id: RHEL-10-800290 + levels: + - medium + title: RHEL 10 must protect against or limit the effects of denial-of-service (DoS) attacks by + ensuring that rate-limiting measures on impacted network interfaces are implemented. + rules: + - firewalld-backend + related_rules: + - sysctl_net_ipv4_tcp_invalid_ratelimit + - sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred + notes: > + TODO: resolve mismatch of title and description + status: automated + - id: RHEL-10-800300 + levels: + - medium + title: RHEL 10 must configure a DNS processing mode in Network Manager to avoid conflicts with + other Domain Name Server (DNS) managers and to not leak DNS queries to untrusted networks. + rules: + - networkmanager_dns_mode + - var_networkmanager_dns_mode=explicit_default + status: automated + - id: RHEL-10-800310 + levels: + - medium + title: RHEL 10 must be configured to operate in secure mode if the Trivial File Transfer Protocol + (TFTP) server service is required. + rules: + - tftp_uses_secure_mode_systemd + status: automated + - id: RHEL-10-900000 + levels: + - medium + title: RHEL 10 must enforce mode "0640" or less for the "/etc/audit/auditd.conf" file to prevent + unauthorized access. + rules: + - file_permissions_etc_audit_auditd + status: automated + - id: RHEL-10-900100 + levels: + - medium + title: RHEL 10 must prevent unauthorized changes to the audit system. + rules: + - audit_rules_immutable + status: automated + - id: RHEL-10-001000 + levels: + - high + title: RHEL 10 must be a vendor-supported release. + rules: + - installed_OS_is_vendor_supported + status: automated diff --git a/products/rhel10/profiles/default.profile b/products/rhel10/profiles/default.profile index 0c4878a9e7d0..80daad7df772 100644 --- a/products/rhel10/profiles/default.profile +++ b/products/rhel10/profiles/default.profile @@ -47,3 +47,13 @@ selections: - configure_ssh_crypto_policy - package_dnsmasq_removed - chrony_set_nts + - audit_rules_privileged_commands_pkexec + - sshd_include_crypto_policy + - file_permission_user_init_files_root + - mount_option_nodev_removable_partitions + - mount_option_noexec_removable_partitions + - audit_rules_privileged_commands_mount + - fips_crypto_subpolicy + - mount_option_nosuid_removable_partitions + - sysctl_net_ipv4_tcp_invalid_ratelimit + - set_password_hashing_min_rounds_logindefs diff --git a/products/rhel10/profiles/stig.profile b/products/rhel10/profiles/stig.profile index 3c1b0ee2b7cf..525208993d65 100644 --- a/products/rhel10/profiles/stig.profile +++ b/products/rhel10/profiles/stig.profile @@ -19,7 +19,7 @@ description: |- Red Hat technologies that are based on Red Hat Enterprise Linux 10. selections: - - srg_gpos:all + - stig_rhel10:all - '!enable_authselect' # Currently not working RHEL 10, changes are being made to FIPS mode. Investigation is recommended. - '!enable_dracut_fips_module' diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 91b104d88076..b511d7ad89e7 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,5 +1,3 @@ -CCE-86484-3 -CCE-86492-6 CCE-86494-2 CCE-86497-5 CCE-86498-3 diff --git a/tests/data/profile_stability/rhel10/stig.profile b/tests/data/profile_stability/rhel10/stig.profile index 852e32158a64..fa944e100fab 100644 --- a/tests/data/profile_stability/rhel10/stig.profile +++ b/tests/data/profile_stability/rhel10/stig.profile @@ -11,6 +11,7 @@ accounts_max_concurrent_login_sessions accounts_maximum_age_login_defs accounts_minimum_age_login_defs accounts_no_uid_except_zero +accounts_password_all_shadowed_sha512 accounts_password_pam_dcredit accounts_password_pam_dictcheck accounts_password_pam_difok @@ -25,6 +26,8 @@ accounts_password_pam_pwquality_password_auth accounts_password_pam_pwquality_retry accounts_password_pam_pwquality_system_auth accounts_password_pam_ucredit +accounts_password_pam_unix_rounds_password_auth +accounts_password_pam_unix_rounds_system_auth accounts_password_set_max_life_existing accounts_password_set_min_life_existing accounts_passwords_pam_faillock_audit @@ -88,22 +91,17 @@ audit_rules_kernel_module_loading_finit audit_rules_kernel_module_loading_init audit_rules_login_events_faillock audit_rules_login_events_lastlog -audit_rules_login_events_tallylog audit_rules_media_export audit_rules_privileged_commands_chage audit_rules_privileged_commands_chsh audit_rules_privileged_commands_crontab audit_rules_privileged_commands_gpasswd audit_rules_privileged_commands_kmod -audit_rules_privileged_commands_modprobe -audit_rules_privileged_commands_mount audit_rules_privileged_commands_newgrp audit_rules_privileged_commands_pam_timestamp_check audit_rules_privileged_commands_passwd -audit_rules_privileged_commands_pkexec audit_rules_privileged_commands_postdrop audit_rules_privileged_commands_postqueue -audit_rules_privileged_commands_rmmod audit_rules_privileged_commands_ssh_agent audit_rules_privileged_commands_ssh_keysign audit_rules_privileged_commands_su @@ -123,11 +121,7 @@ audit_rules_unsuccessful_file_modification_ftruncate audit_rules_unsuccessful_file_modification_open audit_rules_unsuccessful_file_modification_open_by_handle_at audit_rules_unsuccessful_file_modification_openat -audit_rules_unsuccessful_file_modification_rename -audit_rules_unsuccessful_file_modification_renameat audit_rules_unsuccessful_file_modification_truncate -audit_rules_unsuccessful_file_modification_unlink -audit_rules_unsuccessful_file_modification_unlinkat audit_rules_usergroup_modification_group audit_rules_usergroup_modification_gshadow audit_rules_usergroup_modification_opasswd @@ -156,7 +150,6 @@ clean_components_post_updating configure_bind_crypto_policy configure_crypto_policy configure_firewalld_ports -configure_kerberos_crypto_policy configure_libreswan_crypto_policy configure_opensc_card_drivers configure_usbguard_auditbackend @@ -179,6 +172,8 @@ dconf_gnome_screensaver_lock_locked dconf_gnome_screensaver_mode_blank dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -195,13 +190,11 @@ disable_ctrlaltdel_reboot disable_host_auth disable_users_coredumps disallow_bypass_password_sudo -display_login_attempts -dnf-automatic_apply_updates enable_fips_mode +enable_gpgcheck_for_all_repositories encrypt_partitions ensure_gpgcheck_globally_activated ensure_gpgcheck_local_packages -ensure_gpgcheck_never_disabled ensure_redhat_gpgkey_installed fapolicy_default_deny file_audit_tools_group_ownership @@ -212,7 +205,6 @@ file_groupowner_backup_etc_group file_groupowner_backup_etc_gshadow file_groupowner_backup_etc_passwd file_groupowner_backup_etc_shadow -file_groupowner_cron_allow file_groupowner_cron_d file_groupowner_cron_daily file_groupowner_cron_deny @@ -236,7 +228,6 @@ file_owner_backup_etc_group file_owner_backup_etc_gshadow file_owner_backup_etc_passwd file_owner_backup_etc_shadow -file_owner_cron_allow file_owner_cron_d file_owner_cron_daily file_owner_cron_deny @@ -258,14 +249,11 @@ file_ownership_binary_dirs file_ownership_library_dirs file_ownership_var_log_audit_stig file_permission_user_init_files -file_permission_user_init_files_root -file_permissions_audit_configuration file_permissions_backup_etc_group file_permissions_backup_etc_gshadow file_permissions_backup_etc_passwd file_permissions_backup_etc_shadow file_permissions_binary_dirs -file_permissions_cron_allow file_permissions_cron_d file_permissions_cron_daily file_permissions_cron_hourly @@ -289,7 +277,6 @@ file_permissions_var_log file_permissions_var_log_audit file_permissions_var_log_messages file_sshd_50_redhat_exists -fips_crypto_subpolicy firewalld-backend firewalld_sshd_port_enabled gid_passwd_group_same @@ -319,7 +306,7 @@ kernel_module_usb-storage_disabled libreswan_approved_tunnels login_banner_contents=dod_default login_banner_text=dod_banners -logind_session_timeout +mount_option_boot_efi_nosuid mount_option_boot_nodev mount_option_boot_nosuid mount_option_dev_shm_nodev @@ -331,11 +318,8 @@ mount_option_home_nosuid mount_option_krb_sec_remote_filesystems mount_option_nodev_nonroot_local_partitions mount_option_nodev_remote_filesystems -mount_option_nodev_removable_partitions mount_option_noexec_remote_filesystems -mount_option_noexec_removable_partitions mount_option_nosuid_remote_filesystems -mount_option_nosuid_removable_partitions mount_option_tmp_nodev mount_option_tmp_noexec mount_option_tmp_nosuid @@ -384,7 +368,6 @@ package_rsyslog-gnutls_installed package_rsyslog_installed package_s-nail_installed package_sequoia-sq_installed -package_sssd_installed package_subscription-manager_installed package_sudo_installed package_telnet-server_removed @@ -403,6 +386,7 @@ partition_for_var_tmp postfix_client_configure_mail_alias postfix_client_configure_mail_alias_postmaster postfix_prevent_unrestricted_relay +require_emergency_target_auth require_singleuser_auth root_permissions_syslibrary_files rootfiles_configured @@ -427,21 +411,16 @@ service_kdump_disabled service_pcscd_enabled service_rsyslog_enabled service_sshd_enabled -service_sssd_enabled service_systemd-coredump_disabled service_systemd-journald_enabled service_usbguard_enabled -set_firewalld_default_zone set_password_hashing_algorithm_libuserconf set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth -set_password_hashing_min_rounds_logindefs -ssh_client_rekey_limit ssh_keys_passphrase_protected -sshd_approved_ciphers=stig_rhel9 -sshd_approved_macs=stig_rhel9 -sshd_disable_compression +sshd_approved_ciphers=stig_rhel10 +sshd_approved_macs=stig_rhel10 sshd_disable_empty_passwords sshd_disable_gssapi_auth sshd_disable_kerb_auth @@ -455,7 +434,6 @@ sshd_enable_pubkey_auth sshd_enable_strictmodes sshd_enable_warning_banner sshd_idle_timeout_value=10_minutes -sshd_include_crypto_policy sshd_print_last_log sshd_rekey_limit sshd_set_idle_timeout @@ -488,17 +466,16 @@ sysctl_net_core_bpf_jit_harden sysctl_net_ipv4_conf_all_accept_redirects sysctl_net_ipv4_conf_all_accept_source_route sysctl_net_ipv4_conf_all_forwarding +sysctl_net_ipv4_conf_all_log_martians sysctl_net_ipv4_conf_all_rp_filter sysctl_net_ipv4_conf_all_send_redirects sysctl_net_ipv4_conf_default_accept_redirects sysctl_net_ipv4_conf_default_accept_source_route +sysctl_net_ipv4_conf_default_log_martians sysctl_net_ipv4_conf_default_rp_filter sysctl_net_ipv4_conf_default_send_redirects sysctl_net_ipv4_icmp_echo_ignore_broadcasts sysctl_net_ipv4_icmp_ignore_bogus_error_responses -sysctl_net_ipv4_ip_forward -sysctl_net_ipv4_tcp_invalid_ratelimit -sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred sysctl_net_ipv4_tcp_syncookies sysctl_net_ipv6_conf_all_accept_ra sysctl_net_ipv6_conf_all_accept_redirects @@ -510,7 +487,6 @@ sysctl_net_ipv6_conf_default_accept_source_route system_booted_in_fips_mode tftp_uses_secure_mode_systemd usbguard_generate_policy -use_kerberos_security_all_exports use_pam_wheel_for_su var_account_disable_post_pw_expiration=35 var_accounts_authorized_local_users_regex=rhel9 @@ -532,13 +508,11 @@ var_auditd_freq=100 var_auditd_name_format=stig var_auditd_space_left_action=email var_auditd_space_left_percentage=25pc -var_authselect_profile=sssd var_multiple_time_servers=stig var_networkmanager_dns_mode=explicit_default var_password_hashing_algorithm=SHA512 var_password_hashing_algorithm_pam=sha512 var_password_pam_dcredit=1 -var_password_pam_dictcheck=1 var_password_pam_difok=8 var_password_pam_lcredit=1 var_password_pam_maxclassrepeat=4 @@ -546,8 +520,6 @@ var_password_pam_maxrepeat=3 var_password_pam_minclass=4 var_password_pam_minlen=15 var_password_pam_ocredit=1 -var_password_pam_remember=5 -var_password_pam_remember_control_flag=requisite_or_required var_password_pam_retry=3 var_password_pam_ucredit=1 var_password_pam_unix_rounds=100000 @@ -558,7 +530,6 @@ var_screensaver_lock_delay=5_seconds var_selinux_policy_name=targeted var_selinux_state=enforcing var_smartcard_drivers=cac -var_sshd_disable_compression=no var_sshd_set_keepalive=1 var_sssd_certificate_verification_digest_function=sha512 var_sudo_timestamp_timeout=always_prompt diff --git a/tests/data/profile_stability/rhel10/stig_gui.profile b/tests/data/profile_stability/rhel10/stig_gui.profile index b66915644e0a..02096a5e3754 100644 --- a/tests/data/profile_stability/rhel10/stig_gui.profile +++ b/tests/data/profile_stability/rhel10/stig_gui.profile @@ -11,6 +11,7 @@ accounts_max_concurrent_login_sessions accounts_maximum_age_login_defs accounts_minimum_age_login_defs accounts_no_uid_except_zero +accounts_password_all_shadowed_sha512 accounts_password_pam_dcredit accounts_password_pam_dictcheck accounts_password_pam_difok @@ -25,6 +26,8 @@ accounts_password_pam_pwquality_password_auth accounts_password_pam_pwquality_retry accounts_password_pam_pwquality_system_auth accounts_password_pam_ucredit +accounts_password_pam_unix_rounds_password_auth +accounts_password_pam_unix_rounds_system_auth accounts_password_set_max_life_existing accounts_password_set_min_life_existing accounts_passwords_pam_faillock_audit @@ -88,22 +91,17 @@ audit_rules_kernel_module_loading_finit audit_rules_kernel_module_loading_init audit_rules_login_events_faillock audit_rules_login_events_lastlog -audit_rules_login_events_tallylog audit_rules_media_export audit_rules_privileged_commands_chage audit_rules_privileged_commands_chsh audit_rules_privileged_commands_crontab audit_rules_privileged_commands_gpasswd audit_rules_privileged_commands_kmod -audit_rules_privileged_commands_modprobe -audit_rules_privileged_commands_mount audit_rules_privileged_commands_newgrp audit_rules_privileged_commands_pam_timestamp_check audit_rules_privileged_commands_passwd -audit_rules_privileged_commands_pkexec audit_rules_privileged_commands_postdrop audit_rules_privileged_commands_postqueue -audit_rules_privileged_commands_rmmod audit_rules_privileged_commands_ssh_agent audit_rules_privileged_commands_ssh_keysign audit_rules_privileged_commands_su @@ -123,11 +121,7 @@ audit_rules_unsuccessful_file_modification_ftruncate audit_rules_unsuccessful_file_modification_open audit_rules_unsuccessful_file_modification_open_by_handle_at audit_rules_unsuccessful_file_modification_openat -audit_rules_unsuccessful_file_modification_rename -audit_rules_unsuccessful_file_modification_renameat audit_rules_unsuccessful_file_modification_truncate -audit_rules_unsuccessful_file_modification_unlink -audit_rules_unsuccessful_file_modification_unlinkat audit_rules_usergroup_modification_group audit_rules_usergroup_modification_gshadow audit_rules_usergroup_modification_opasswd @@ -156,7 +150,6 @@ clean_components_post_updating configure_bind_crypto_policy configure_crypto_policy configure_firewalld_ports -configure_kerberos_crypto_policy configure_libreswan_crypto_policy configure_opensc_card_drivers configure_usbguard_auditbackend @@ -179,6 +172,8 @@ dconf_gnome_screensaver_lock_locked dconf_gnome_screensaver_mode_blank dconf_gnome_screensaver_user_locks dconf_gnome_session_idle_user_locks +dconf_login_banner_contents=dod_default +dconf_login_banner_text=dod_banners dir_group_ownership_library_dirs dir_ownership_library_dirs dir_permissions_library_dirs @@ -195,13 +190,11 @@ disable_ctrlaltdel_reboot disable_host_auth disable_users_coredumps disallow_bypass_password_sudo -display_login_attempts -dnf-automatic_apply_updates enable_fips_mode +enable_gpgcheck_for_all_repositories encrypt_partitions ensure_gpgcheck_globally_activated ensure_gpgcheck_local_packages -ensure_gpgcheck_never_disabled ensure_redhat_gpgkey_installed fapolicy_default_deny file_audit_tools_group_ownership @@ -212,7 +205,6 @@ file_groupowner_backup_etc_group file_groupowner_backup_etc_gshadow file_groupowner_backup_etc_passwd file_groupowner_backup_etc_shadow -file_groupowner_cron_allow file_groupowner_cron_d file_groupowner_cron_daily file_groupowner_cron_deny @@ -236,7 +228,6 @@ file_owner_backup_etc_group file_owner_backup_etc_gshadow file_owner_backup_etc_passwd file_owner_backup_etc_shadow -file_owner_cron_allow file_owner_cron_d file_owner_cron_daily file_owner_cron_deny @@ -258,14 +249,11 @@ file_ownership_binary_dirs file_ownership_library_dirs file_ownership_var_log_audit_stig file_permission_user_init_files -file_permission_user_init_files_root -file_permissions_audit_configuration file_permissions_backup_etc_group file_permissions_backup_etc_gshadow file_permissions_backup_etc_passwd file_permissions_backup_etc_shadow file_permissions_binary_dirs -file_permissions_cron_allow file_permissions_cron_d file_permissions_cron_daily file_permissions_cron_hourly @@ -289,7 +277,6 @@ file_permissions_var_log file_permissions_var_log_audit file_permissions_var_log_messages file_sshd_50_redhat_exists -fips_crypto_subpolicy firewalld-backend firewalld_sshd_port_enabled gid_passwd_group_same @@ -319,6 +306,7 @@ kernel_module_usb-storage_disabled libreswan_approved_tunnels login_banner_contents=dod_default login_banner_text=dod_banners +mount_option_boot_efi_nosuid mount_option_boot_nodev mount_option_boot_nosuid mount_option_dev_shm_nodev @@ -330,11 +318,8 @@ mount_option_home_nosuid mount_option_krb_sec_remote_filesystems mount_option_nodev_nonroot_local_partitions mount_option_nodev_remote_filesystems -mount_option_nodev_removable_partitions mount_option_noexec_remote_filesystems -mount_option_noexec_removable_partitions mount_option_nosuid_remote_filesystems -mount_option_nosuid_removable_partitions mount_option_tmp_nodev mount_option_tmp_noexec mount_option_tmp_nosuid @@ -381,7 +366,6 @@ package_rsyslog-gnutls_installed package_rsyslog_installed package_s-nail_installed package_sequoia-sq_installed -package_sssd_installed package_subscription-manager_installed package_sudo_installed package_telnet-server_removed @@ -400,6 +384,7 @@ partition_for_var_tmp postfix_client_configure_mail_alias postfix_client_configure_mail_alias_postmaster postfix_prevent_unrestricted_relay +require_emergency_target_auth require_singleuser_auth root_permissions_syslibrary_files rootfiles_configured @@ -424,21 +409,16 @@ service_kdump_disabled service_pcscd_enabled service_rsyslog_enabled service_sshd_enabled -service_sssd_enabled service_systemd-coredump_disabled service_systemd-journald_enabled service_usbguard_enabled -set_firewalld_default_zone set_password_hashing_algorithm_libuserconf set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth -set_password_hashing_min_rounds_logindefs -ssh_client_rekey_limit ssh_keys_passphrase_protected -sshd_approved_ciphers=stig_rhel9 -sshd_approved_macs=stig_rhel9 -sshd_disable_compression +sshd_approved_ciphers=stig_rhel10 +sshd_approved_macs=stig_rhel10 sshd_disable_empty_passwords sshd_disable_gssapi_auth sshd_disable_kerb_auth @@ -452,7 +432,6 @@ sshd_enable_pubkey_auth sshd_enable_strictmodes sshd_enable_warning_banner sshd_idle_timeout_value=10_minutes -sshd_include_crypto_policy sshd_print_last_log sshd_rekey_limit sshd_set_idle_timeout @@ -485,17 +464,16 @@ sysctl_net_core_bpf_jit_harden sysctl_net_ipv4_conf_all_accept_redirects sysctl_net_ipv4_conf_all_accept_source_route sysctl_net_ipv4_conf_all_forwarding +sysctl_net_ipv4_conf_all_log_martians sysctl_net_ipv4_conf_all_rp_filter sysctl_net_ipv4_conf_all_send_redirects sysctl_net_ipv4_conf_default_accept_redirects sysctl_net_ipv4_conf_default_accept_source_route +sysctl_net_ipv4_conf_default_log_martians sysctl_net_ipv4_conf_default_rp_filter sysctl_net_ipv4_conf_default_send_redirects sysctl_net_ipv4_icmp_echo_ignore_broadcasts sysctl_net_ipv4_icmp_ignore_bogus_error_responses -sysctl_net_ipv4_ip_forward -sysctl_net_ipv4_tcp_invalid_ratelimit -sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred sysctl_net_ipv4_tcp_syncookies sysctl_net_ipv6_conf_all_accept_ra sysctl_net_ipv6_conf_all_accept_redirects @@ -507,7 +485,6 @@ sysctl_net_ipv6_conf_default_accept_source_route system_booted_in_fips_mode tftp_uses_secure_mode_systemd usbguard_generate_policy -use_kerberos_security_all_exports use_pam_wheel_for_su var_account_disable_post_pw_expiration=35 var_accounts_authorized_local_users_regex=rhel9 @@ -529,13 +506,11 @@ var_auditd_freq=100 var_auditd_name_format=stig var_auditd_space_left_action=email var_auditd_space_left_percentage=25pc -var_authselect_profile=sssd var_multiple_time_servers=stig var_networkmanager_dns_mode=explicit_default var_password_hashing_algorithm=SHA512 var_password_hashing_algorithm_pam=sha512 var_password_pam_dcredit=1 -var_password_pam_dictcheck=1 var_password_pam_difok=8 var_password_pam_lcredit=1 var_password_pam_maxclassrepeat=4 @@ -543,8 +518,6 @@ var_password_pam_maxrepeat=3 var_password_pam_minclass=4 var_password_pam_minlen=15 var_password_pam_ocredit=1 -var_password_pam_remember=5 -var_password_pam_remember_control_flag=requisite_or_required var_password_pam_retry=3 var_password_pam_ucredit=1 var_password_pam_unix_rounds=100000 @@ -555,7 +528,6 @@ var_screensaver_lock_delay=5_seconds var_selinux_policy_name=targeted var_selinux_state=enforcing var_smartcard_drivers=cac -var_sshd_disable_compression=no var_sshd_set_keepalive=1 var_sssd_certificate_verification_digest_function=sha512 var_sudo_timestamp_timeout=always_prompt diff --git a/utils/build_stig_control.py b/utils/build_stig_control.py index 7f4de481038f..a6773247f7ec 100755 --- a/utils/build_stig_control.py +++ b/utils/build_stig_control.py @@ -136,7 +136,11 @@ def get_rules_for_control(stig_id, known_rules, srgs, srg_controls): # Let's also add any rule selected in the SRG control file if srg_controls: for srg in srgs: - rule_set.update(srg_controls.get_control(srg).rules) + try: + rules = srg_controls.get_control(srg).rules + rule_set.update(rules) + except ValueError as e: + sys.stderr.write("Cannot add rules for %s: %s\n" % (stig_id, str(e))) return sorted(list(rule_set))