Guide to the Secure Configuration of Red Hat Enterprise Linux 7

with profile United States Government Configuration Baseline (USGCB / STIG) - DRAFT
This profile is developed in partnership with the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. The USGCB is intended to be the core set of security related configuration settings by which all federal agencies should comply. This baseline implements configuration requirements from the following documents: - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) - DISA Operating System Security Requirements Guide (OS SRG) For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package. This profile reflects U.S. Government consensus content and is developed through the OpenSCAP/SCAP Security Guide initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide content as minor divergences, such as bugfixes, work through the consensus process.

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 7. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.
Profile TitleUnited States Government Configuration Baseline (USGCB / STIG) - DRAFT
Profile IDxccdf_org.ssgproject.content_profile_ospp-rhel7

Revision History

Current version: 0.1.36

  • draft (as of 2017-10-31)

Platforms

  • cpe:/o:redhat:enterprise_linux:7
  • cpe:/o:redhat:enterprise_linux:7::client
  • cpe:/o:redhat:enterprise_linux:7::computenode

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. File Permissions and Masks
    3. SELinux
    4. Account and Access Control
    5. Network Configuration and Firewalls
    6. Configure Syslog
    7. System Accounting with auditd
  2. Services
    1. Obsolete Services
    2. Base Services
    3. Cron and At Daemons
    4. SSH Server
    5. System Security Services Daemon
    6. Network Time Protocol
    7. LDAP
    8. NFS and RPC
    9. Network Routing

Checklist

contains 359 rules

System Settings   [ref]group

Contains rules that check correct system settings.

contains 304 rules

Installing and Maintaining Software   [ref]group

The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.

contains 47 rules

Disk Partitioning   [ref]group

To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning scheme creates separate logical volumes for /, /boot, and swap.

  • If starting with any of the default layouts, check the box to "Review and modify partitioning." This allows for the easy creation of additional logical volumes inside the volume group already created, though it may require making /'s logical volume smaller to create space. In general, using logical volumes is preferable to using partitions because they can be more easily adjusted later.
  • If creating a custom layout, create the partitions mentioned in the previous paragraph (which the installer will require anyway), as well as separate ones described in the following sections.
If a system has already been installed, and the default partitioning scheme was used, it is possible but nontrivial to modify it to create separate logical volumes for the directories listed above. The Logical Volume Manager (LVM) makes this possible. See the LVM HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM.

contains 1 rule

Encrypt Partitions   [ref]rule

Red Hat Enterprise Linux 7 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:

part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation web site:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html

Rationale:

The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

Severity:  high

Updating Software   [ref]group

The yum command line tool is used to install and update software packages. The system also provides a graphical software update tool in the System menu, in the Administration submenu, called Software Update.

Red Hat Enterprise Linux systems contain an installed software catalog called the RPM database, which records metadata of installed packages. Consistently using yum or the graphical Software Update for all software installation allows for insight into the current inventory of installed software on the system.

contains 7 rules

Ensure Red Hat GPG Key Installed   [ref]rule

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:

$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY

Rationale:

Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.

Severity:  high

Identifiers:  CCE-26957-1

References:  CM-5(3), SI-7, MA-1(b), CCI-001749, 366, Req-6.2, 1.2.3, 5.10.4.1, 3.4.8

Remediation Shell script:   (show)

# The two fingerprints below are retrieved from https://access.redhat.com/security/team/key
readonly REDHAT_RELEASE_2_FINGERPRINT="567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51"
readonly REDHAT_AUXILIARY_FINGERPRINT="43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0"
# Location of the key we would like to import (once it's integrity verified)
readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"

RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")")

# Verify /etc/pki/rpm-gpg directory permissions are safe
if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]
then
  # If they are safe, try to obtain fingerprints from the key file
  # (to ensure there won't be e.g. CRC error).
  IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint "${REDHAT_RELEASE_KEY}" | grep 'Key fingerprint ='))
  GPG_RESULT=$?
  # No CRC error, safe to proceed
  if [ "${GPG_RESULT}" -eq "0" ]
  then
    tr -s ' ' <<< "${GPG_OUT}" | grep -vE "${REDHAT_RELEASE_2_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
      # If file doesn't contains any keys with unknown fingerprint, import it
      rpm --import "${REDHAT_RELEASE_KEY}"
    }
  fi
fi
Remediation Ansible snippet:   (show)

Complexity:medium
Disruption:medium
Strategy:restrict
- name: "Read permission of GPG key directory"
  stat:
    path: /etc/pki/rpm-gpg/
  register: gpg_key_directory_permission
  check_mode: no
  tags:
    - ensure_redhat_gpgkey_installed
    - high_severity
    - restrict_strategy
    - medium_complexity
    - medium_disruption
    - CCE-26957-1
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SI-7
    - NIST-800-53-MA-1(b)
    - NIST-800-171-3.4.8
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1

# It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well.

- name: Read signatures in GPG key
  shell: gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed 's;.*= ;;g'
  changed_when: False
  register: gpg_fingerprints
  check_mode: no
  tags:
    - ensure_redhat_gpgkey_installed
    - high_severity
    - restrict_strategy
    - medium_complexity
    - medium_disruption
    - CCE-26957-1
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SI-7
    - NIST-800-53-MA-1(b)
    - NIST-800-171-3.4.8
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1

- name: Set Fact - Valid fingerprints
  set_fact:
     gpg_valid_fingerprints: ("567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51" "43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0")
  tags:
    - ensure_redhat_gpgkey_installed
    - high_severity
    - restrict_strategy
    - medium_complexity
    - medium_disruption
    - CCE-26957-1
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SI-7
    - NIST-800-53-MA-1(b)
    - NIST-800-171-3.4.8
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1

- name: Import RedHat GPG key
  rpm_key:
    state: present
    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
  when:
    (gpg_key_directory_permission.stat.mode <= '0755')
    and (( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) | length == 0)
    and (gpg_fingerprints.stdout_lines | length > 0)
    and (ansible_distribution == "RedHat")
  tags:
    - ensure_redhat_gpgkey_installed
    - high_severity
    - restrict_strategy
    - medium_complexity
    - medium_disruption
    - CCE-26957-1
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SI-7
    - NIST-800-53-MA-1(b)
    - NIST-800-171-3.4.8
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1

Ensure gpgcheck Enabled In Main Yum Configuration   [ref]rule

The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:

gpgcheck=1

Rationale:

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

Severity:  high

Remediation Shell script:   (show)

# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/yum.conf' '^gpgcheck' '1' 'CCE-26989-4'
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: Check existence of yum on Fedora
  stat:
    path: /etc/yum.conf
  register: yum_config_file
  check_mode: no
  when: ansible_distribution == "Fedora"

# Old versions of Fedora use yum

- name: Ensure GPG check is globally activated (yum)
  ini_file:
    dest: "{{item}}"
    section: main
    option: gpgcheck
    value: 1
    create: False
  with_items: "/etc/yum.conf"
  when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists
  tags:
    - ensure_gpgcheck_globally_activated
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-26989-4
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SI-7
    - NIST-800-53-MA-1(b)
    - NIST-800-171-3.4.8
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-020050

- name: Ensure GPG check is globally activated (dnf)
  ini_file:
    dest: "{{item}}"
    section: main
    option: gpgcheck
    value: 1
    create: False
  with_items: "/etc/dnf/dnf.conf"
  when: ansible_distribution == "Fedora"
  tags:
    - ensure_gpgcheck_globally_activated
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-26989-4
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SI-7
    - NIST-800-53-MA-1(b)
    - NIST-800-171-3.4.8
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-020050

Ensure gpgcheck Enabled For All Yum Package Repositories   [ref]rule

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:

gpgcheck=0

Rationale:

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).

Severity:  high

Identifiers:  CCE-26876-3

References:  CM-5(3), SI-7, MA-1(b), CCI-001749, 366, Req-6.2, 5.10.4.1, 3.4.8

Remediation Shell script:   (show)

sed -i 's/gpgcheck=.*/gpgcheck=1/g' /etc/yum.repos.d/*
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
#
- name: Find All Yum Repositories
  find:
    paths: "/etc/yum.repos.d/"
    patterns: "*.repo"
  register: yum_find

- name: Ensure gpgcheck Enabled For All Yum Package Repositories
  with_items: "{{ yum_find.files }}"
  lineinfile:
    create: yes
    dest: "{{ item.path }}"
    regexp: '^gpgcheck'
    line: 'gpgcheck=1'
  tags:
    - ensure_gpgcheck_never_disabled
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-26876-3
    - NIST-800-53-CM-5(3)
    - NIST-800-53-SI-7
    - NIST-800-53-MA-1(b)
    - NIST-800-171-3.4.8
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1

Ensure Software Patches Installed   [ref]rule

If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:

$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.

NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.

Rationale:

Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.

Severity:  high

Identifiers:  CCE-26895-3

References:  RHEL-07-020260, SI-2, SI-2(c), MA-1(b), CCI-000366, Req-6.2, 1.8, SRG-OS-000480-GPOS-00227, 5.10.4.1

Remediation Shell script:   (show)

Complexity:low
Disruption:high
Reboot:true
Strategy:patch
yum -y update
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:high
Reboot:true
Strategy:patch
- name: "Security patches are up to date"
  package:
    name: "*"
    state: "latest"
  tags:
    - security_patches_up_to_date
    - high_severity
    - patch_strategy
    - low_complexity
    - high_disruption
    - CCE-26895-3
    - NIST-800-53-SI-2
    - NIST-800-53-SI-2(c)
    - NIST-800-53-MA-1(b)
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-020260

Ensure YUM Removes Previous Package Versions   [ref]rule

Yum should be configured to remove previous software components after previous versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf.

Rationale:

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.

Severity:  low

Identifiers:  CCE-80346-0

References:  RHEL-07-020200, SI-2(6), CCI-002617, SRG-OS-000437-GPOS-00194, 3.4.8

Remediation Shell script:   (show)


if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then
        sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf
else
        echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf
        echo "clean_requirements_on_remove=1" >> /etc/yum.conf
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: "Ensure YUM Removes Previous Package Versions"
  lineinfile:
      dest: /etc/yum.conf
      regexp: ^#?clean_requirements_on_remove
      line: clean_requirements_on_remove=1
      insertafter: '\[main\]'
  tags:
    - clean_components_post_updating
    - low_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-80346-0
    - NIST-800-53-SI-2(6)
    - NIST-800-171-3.4.8
    - DISA-STIG-RHEL-07-020200

Ensure gpgcheck Enabled for Local Packages   [ref]rule

Yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf.

Rationale:

Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Severity:  high

Identifiers:  CCE-80347-8

References:  RHEL-07-020060, CM-5(3), CCI-001749, SRG-OS-000366-GPOS-00153, 3.4.8

Remediation Shell script:   (show)


if grep --silent ^localpkg_gpgcheck /etc/yum.conf ; then
        sed -i "s/^localpkg_gpgcheck.*/localpkg_gpgcheck=1/g" /etc/yum.conf
else
        echo -e "\n# Set localpkg_gpgcheck to 1 per security requirements" >> /etc/yum.conf
        echo "localpkg_gpgcheck=1" >> /etc/yum.conf
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: Check existence of yum on Fedora
  stat:
    path: /etc/yum.conf
  register: yum_config_file
  check_mode: no
  when: ansible_distribution == "Fedora"

# Old versions of Fedora use yum

- name: Ensure GPG check Enabled for Local Packages (Yum)
  ini_file:
    dest: "{{item}}"
    section: main
    option: localpkg_gpgcheck
    value: 1
    create: True
  with_items: "/etc/yum.conf"
  when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists
  tags:
    - ensure_gpgcheck_local_packages
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80347-8
    - NIST-800-53-CM-5(3)
    - NIST-800-171-3.4.8
    - DISA-STIG-RHEL-07-020060

- name: Ensure GPG check Enabled for Local Packages (DNF)
  ini_file:
    dest: "{{item}}"
    section: main
    option: localpkg_gpgcheck
    value: 1
    create: True
  with_items: "/etc/dnf/dnf.conf"
  when: ansible_distribution == "Fedora"
  tags:
    - ensure_gpgcheck_local_packages
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80347-8
    - NIST-800-53-CM-5(3)
    - NIST-800-171-3.4.8
    - DISA-STIG-RHEL-07-020060

System and Software Integrity   [ref]group

System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevention System, etc. However, installing or enabling integrity checking tools cannot prevent intrusions, but they can detect that an intrusion may have occurred. Requirements for integrity checking may be highly dependent on the environment in which the system will be used. Snapshot-based approaches such as AIDE may induce considerable overhead in the presence of frequent software updates.

contains 15 rules

Software Integrity Checking   [ref]group

Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of file metadata (such as hashes) and compares these to current system files in order to detect changes.

The RPM package management system can conduct integrity checks by comparing information in its metadata database with files installed on the system.

contains 9 rules

Verify Integrity with AIDE   [ref]group

AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and then again after any software update. AIDE is highly configurable, with further configuration information located in /usr/share/doc/aide-VERSION.

contains 7 rules

Install AIDE   [ref]rule

Install the AIDE package with the command:

$ sudo yum install aide

Rationale:

The AIDE package must be installed if it is to be available for integrity checking.

Severity:  medium

Identifiers:  CCE-27096-7

References:  CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 1.3.1, 5.10.1.3

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable
# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
#     package_command install aide
#     package_command remove telnet-server
#
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}

package_command install aide
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
  package:
    name="{{item}}"
    state=present
  with_items:
    - aide
  tags:
    - package_aide_installed
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-27096-7
    - NIST-800-53-CM-3(d)
    - NIST-800-53-CM-3(e)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SC-28
    - NIST-800-53-SI-7
    - PCI-DSS-Req-11.5
    - CJIS-5.10.1.3

Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
include install_aide

class install_aide {
  package { 'aide':
    ensure => 'installed',
  }
}
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable

package --add=aide

Build and Test AIDE Database   [ref]rule

Run the following command to generate a new database:

$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.

Rationale:

For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

Severity:  medium

Identifiers:  CCE-27220-3

References:  CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, Req-11.5, 5.10.1.3

Remediation Shell script:   (show)

# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
#     package_command install aide
#     package_command remove telnet-server
#
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}

package_command install aide

/usr/sbin/aide --init
/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: "Ensure AIDE is installed"
  package:
    name="{{item}}"
    state=present
  with_items:
    - aide
  tags:
    - aide_build_database
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27220-3
    - NIST-800-53-CM-3(d)
    - NIST-800-53-CM-3(e)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SC-28
    - NIST-800-53-SI-7
    - PCI-DSS-Req-11.5
    - CJIS-5.10.1.3

- name: "Build and Test AIDE Database"
  shell: /usr/sbin/aide --init
  tags:
    - aide_build_database
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27220-3
    - NIST-800-53-CM-3(d)
    - NIST-800-53-CM-3(e)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SC-28
    - NIST-800-53-SI-7
    - PCI-DSS-Req-11.5
    - CJIS-5.10.1.3

- name: Stage AIDE Database"
  copy:
    src: /var/lib/aide/aide.db.new.gz
    dest: /var/lib/aide/aide.db.gz
    backup: yes
    remote_src: yes
  tags:
    - aide_build_database
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27220-3
    - NIST-800-53-CM-3(d)
    - NIST-800-53-CM-3(e)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SC-28
    - NIST-800-53-SI-7
    - PCI-DSS-Req-11.5
    - CJIS-5.10.1.3

Configure Periodic Execution of AIDE   [ref]rule

At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.

Rationale:

By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Severity:  medium

Remediation Shell script:   (show)

# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
#     package_command install aide
#     package_command remove telnet-server
#
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}

package_command install aide

if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: "Ensure AIDE is installed"
  package:
    name="{{item}}"
    state=present
  with_items:
    - aide
  tags:
    - aide_periodic_cron_checking
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-26952-2
    - NIST-800-53-CM-3(d)
    - NIST-800-53-CM-3(e)
    - NIST-800-53-CM-3(5)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SC-28
    - NIST-800-53-SI-7
    - PCI-DSS-Req-11.5
    - CJIS-5.10.1.3
    - DISA-STIG-RHEL-07-020030

- name: "Configure Periodic Execution of AIDE"
  cron:
    name: "run AIDE check"
    minute: 05
    hour: 04
    weekday: 0
    user: root
    job: "/usr/sbin/aide --check"
  tags:
    - aide_periodic_cron_checking
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-26952-2
    - NIST-800-53-CM-3(d)
    - NIST-800-53-CM-3(e)
    - NIST-800-53-CM-3(5)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SC-28
    - NIST-800-53-SI-7
    - PCI-DSS-Req-11.5
    - CJIS-5.10.1.3
    - DISA-STIG-RHEL-07-020030

Configure Notification of Post-AIDE Scan Details   [ref]rule

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line:

 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.

Rationale:

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Severity:  medium

Identifiers:  CCE-80374-2

References:  RHEL-07-020040, CM-3(5), CCI-001744, SRG-OS-000363-GPOS-00150

Remediation Shell script:   (show)

# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
#     package_command install aide
#     package_command remove telnet-server
#
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}

package_command install aide

CRONTAB=/etc/crontab
CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'

if [ -f /var/spool/cron/root ]; then
	VARSPOOL=/var/spool/cron/root
fi

if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then
	echo '0 5 * * * /usr/sbin/aide  --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB
fi

Configure AIDE to Verify Access Control Lists (ACLs)   [ref]rule

By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf:

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Rationale:

ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.

Severity:  medium

Identifiers:  CCE-80375-9

References:  RHEL-07-021600, SI-7.1, CCI-000366, SRG-OS-000480-GPOS-00227

Remediation Shell script:   (show)

# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
#     package_command install aide
#     package_command remove telnet-server
#
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}

package_command install aide

aide_conf="/etc/aide.conf"

groups=$(grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)

for group in $groups
do
	config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')

	if ! [[ $config = *acl* ]]
	then
		if [[ -z $config ]]
		then
			config="acl"
		else
			config=$config"+acl"
		fi
	fi
	sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
done

Configure AIDE to Verify Extended Attributes   [ref]rule

By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf:

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Rationale:

Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.

Severity:  medium

Identifiers:  CCE-80376-7

References:  RHEL-07-021610, SI-7.1, CCI-000366, SRG-OS-000480-GPOS-00227

Remediation Shell script:   (show)

# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
#     package_command install aide
#     package_command remove telnet-server
#
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}

package_command install aide

aide_conf="/etc/aide.conf"

groups=$(grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)

for group in $groups
do
	config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')

	if ! [[ $config = *xattrs* ]]
	then
		if [[ -z $config ]]
		then
			config="xattrs"
		else
			config=$config"+xattrs"
		fi
	fi
	sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
done

Configure AIDE to Use FIPS 140-2 for Validating Hashes   [ref]rule

By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf:

NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Rationale:

File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.

Severity:  medium

Identifiers:  CCE-80377-5

References:  RHEL-07-021620, SI-7(1), CCI-000366, SRG-OS-000480-GPOS-00227, 3.13.11

Remediation Shell script:   (show)

# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
#     package_command install aide
#     package_command remove telnet-server
#
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}

package_command install aide

aide_conf="/etc/aide.conf"
forbidden_hashes=(sha1 rmd160 sha256 whirlpool tiger haval gost crc32)

groups=$(grep "^[A-Z]\+" $aide_conf | cut -f1 -d ' ' | tr -d ' ' | sort -u)

for group in $groups
do
	config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ')

	if ! [[ $config = *sha512* ]]
	then
		config=$config"+sha512"
	fi

	for hash in ${forbidden_hashes[@]}
	do
		config=$(echo $config | sed "s/$hash//")
	done

	config=$(echo $config | sed "s/^\+*//")
	config=$(echo $config | sed "s/\+\++/+/")
	config=$(echo $config | sed "s/\+$//")

	sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf
done

Verify Integrity with RPM   [ref]group

The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To list which files on the system differ from what is expected by the RPM database:

$ rpm -qVa
See the man page for rpm to see a complete explanation of each column.

contains 2 rules

Verify and Correct File Permissions with RPM   [ref]rule

The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command:

$ sudo rpm -Va | grep '^.M'
Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it:
$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values:
$ sudo rpm --setperms PACKAGENAME

Warning:  Note: Due to a bug in the gdm package, the RPM verify command may continue to fail even after file permissions have been correctly set on /var/log/gdm. This is being tracked in Red Hat Bugzilla #1275532.
Rationale:

Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.

Severity:  high

Remediation Shell script:   (show)

Complexity:high
Disruption:medium
Strategy:restrict

# Declare array to hold list of RPM packages we need to correct permissions for
declare -a SETPERMS_RPM_LIST

# Create a list of files on the system having permissions different from what
# is expected by the RPM database
FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | grep '^.M' | cut -d ' ' -f5-))

# For each file path from that list:
# * Determine the RPM package the file path is shipped by,
# * Include it into SETPERMS_RPM_LIST array

for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
do
	RPM_PACKAGE=$(rpm -qf "$FILE_PATH")
	SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}" "$RPM_PACKAGE")
done

# Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any)
SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | sort -n | uniq) )

# For each of the RPM packages left in the list -- reset its permissions to the
# correct values
for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}"
do
	rpm --setperms "${RPM_PACKAGE}"
done
Remediation Ansible snippet:   (show)

Complexity:high
Disruption:medium
Strategy:restrict
- name: "Read list of files with incorrect permissions"
  shell: "rpm -Va | grep '^.M' | cut -d ' ' -f5- | sed -r 's;^.*\\s+(.+);\\1;g'"
  register: files_with_incorrect_permissions
  failed_when: False
  changed_when: False
  check_mode: no
  tags:
    - rpm_verify_permissions
    - high_severity
    - restrict_strategy
    - high_complexity
    - medium_disruption
    - CCE-27209-6
    - NIST-800-53-AC-6
    - NIST-800-53-AU-9(1)
    - NIST-800-53-AU-9(3)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - PCI-DSS-Req-11.5
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-010010

- name: "Correct file permissions with RPM"
  shell: "rpm --setperms $(rpm -qf '{{item}}')"
  with_items: "{{ files_with_incorrect_permissions.stdout_lines }}"
  when: files_with_incorrect_permissions.stdout_lines | length > 0
  tags:
    - rpm_verify_permissions
    - high_severity
    - restrict_strategy
    - high_complexity
    - medium_disruption
    - CCE-27209-6
    - NIST-800-53-AC-6
    - NIST-800-53-AU-9(1)
    - NIST-800-53-AU-9(3)
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - PCI-DSS-Req-11.5
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-010010

Verify File Hashes with RPM   [ref]rule

Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:

$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME

Rationale:

The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

Severity:  high

Remediation Ansible snippet:   (show)

Complexity:high
Disruption:medium
- name: "Set fact: Package manager reinstall command (dnf)"
  set_fact:
    package_manager_reinstall_cmd: dnf reinstall -y
  when: ansible_distribution == "Fedora"
  tags:
    - rpm_verify_hashes
    - high_severity
    - unknown_strategy
    - high_complexity
    - medium_disruption
    - CCE-27157-7
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SI-7(1)
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - PCI-DSS-Req-11.5
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-010020

- name: "Set fact: Package manager reinstall command (yum)"
  set_fact:
    package_manager_reinstall_cmd: yum reinstall -y
  when: ansible_distribution == "RedHat"
  tags:
    - rpm_verify_hashes
    - high_severity
    - unknown_strategy
    - high_complexity
    - medium_disruption
    - CCE-27157-7
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SI-7(1)
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - PCI-DSS-Req-11.5
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-010020

- name: "Read files with incorrect hash"
  shell: "rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | sed -r 's;^.*\\s+(.+);\\1;g'"
  register: files_with_incorrect_hash
  changed_when: False
  when: package_manager_reinstall_cmd is defined
  check_mode: no
  tags:
    - rpm_verify_hashes
    - high_severity
    - unknown_strategy
    - high_complexity
    - medium_disruption
    - CCE-27157-7
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SI-7(1)
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - PCI-DSS-Req-11.5
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-010020

- name: "Reinstall packages of files with incorrect hash"
  shell: "{{package_manager_reinstall_cmd}} $(rpm -qf '{{item}}')"
  with_items: "{{ files_with_incorrect_hash.stdout_lines }}"
  when: package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)
  tags:
    - rpm_verify_hashes
    - high_severity
    - unknown_strategy
    - high_complexity
    - medium_disruption
    - CCE-27157-7
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SI-7(1)
    - NIST-800-171-3.3.8
    - NIST-800-171-3.4.1
    - PCI-DSS-Req-11.5
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-010020

Endpoint Protection Software   [ref]group

Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base platform. Add-on software may not be appropriate for some specialized systems.

contains 2 rules

Install Intrusion Detection Software   [ref]rule

The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised.

Warning:  Note in DoD environments, supplemental intrusion detection tools, such as the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with proper functioning of SELinux, SELinux takes precedence.
Rationale:

Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network.

Severity:  high

Identifiers:  CCE-26818-5

References:  SC-7, CCI-001263, Req-11.4

Install Virus Scanning Software   [ref]rule

Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail.

Rationale:

Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems.

Severity:  high

Identifiers:  CCE-27140-3

References:  SC-28, SI-3, CCI-001239, CCI-001668

Federal Information Processing Standard (FIPS)   [ref]group

The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working groups to validate the quality of cryptographic modules. The FIPS standard provides four security levels to ensure adequate coverage of different industries, implementation of cryptographic modules, and organizational sizes and requirements.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.

See http://csrc.nist.gov/publications/PubsFIPS.html for more information.

contains 2 rules

Install the dracut-fips Package   [ref]rule

To enable FIPS, the system requires that the dracut-fips package be installed. The dracut-fips package can be installed with the following command:

$ sudo yum install dracut-fips

Rationale:

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Severity:  medium

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable
# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
#     package_command install aide
#     package_command remove telnet-server
#
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}

package_command install dracut-fips
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dracut-fips is installed
  package:
    name="{{item}}"
    state=present
  with_items:
    - dracut-fips
  tags:
    - package_dracut-fips_installed
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-80358-5
    - NIST-800-53-AC-17(2)
    - NIST-800-171-3.13.11
    - NIST-800-171-3.13.8
    - CJIS-5.10.1.2

Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
include install_dracut-fips

class install_dracut-fips {
  package { 'dracut-fips':
    ensure => 'installed',
  }
}
Remediation Anaconda snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable

package --add=dracut-fips

Enable FIPS Mode in GRUB2   [ref]rule

To ensure FIPS mode is enabled, rebuild initramfs by running the following command:

dracut -f
After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"
Finally, rebuild the grub.cfg file by using the
grub2-mkconfig -o
command as follows:
  • On BIOS-based machines, issue the following command as root:
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root:
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Warning:  Running
dracut -f
will overwrite the existing initramfs file.
Warning:  The system needs to be rebooted for these changes to take effect.
Warning:  The ability to enable FIPS does not denote FIPS compliancy or certification. Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community projects such as CentOS, Scientific Linux, etc. do not necessarily meet FIPS certification and compliancy. Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible.

See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm for a list of FIPS certified vendors.
Rationale:

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Severity:  high

Remediation Shell script:   (show)



if grep --silent ^PRELINKING /etc/sysconfig/prelink ; then
        sed -i "s/^PRELINKING.*/PRELINKING=no/g" /etc/sysconfig/prelink
else
        echo -e "\n# Set PRELINKING to 'no' per security requirements" >> /etc/sysconfig/prelink
        echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi

prelink -u -a
# Function to install or uninstall packages on RHEL and Fedora systems.
#
# Example Call(s):
#
#     package_command install aide
#     package_command remove telnet-server
#
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}

package_command install dracut-fips

dracut -f

if [ -e /sys/firmware/efi ]; then
	BOOT=`df /boot/efi | tail -1 | awk '{print $1 }'`
else
	BOOT=`df /boot | tail -1 | awk '{ print $1 }'`
fi

# Correct the form of default kernel command line in /etc/default/grub
if ! grep -q "^GRUB_CMDLINE_LINUX=\".*fips=1.*\"" /etc/default/grub;
then
  # Append 'fips=1' argument to /etc/default/grub (if not present yet)
  sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 fips=1\"/" /etc/default/grub
fi

# Edit runtime setting
# Correct the form of kernel command line for each installed kernel in the bootloader
/sbin/grubby --update-kernel=ALL --args="boot=${BOOT} fips=1"

Operating System Vendor Support and Certification   [ref]group

The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A certified product that follows the necessary standards and government certification requirements guarantees that known software vulnerabilities will be remediated, and proper guidance for protecting and securing the operating system will be given.

contains 1 rule

The Installed Operating System Is Vendor Supported and Certified   [ref]rule

The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards.

Rationale:

An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications.

Severity:  high

Identifiers:  CCE-80349-4

References:  RHEL-07-020250, SI-2(c), CCI-000366, SRG-OS-000480-GPOS-00227

GNOME Desktop Environment   [ref]group

GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user switching contexts as well as display server management.

GNOME is developed by the GNOME Project and is considered the default Red Hat Graphical environment.

For more information on GNOME and the GNOME Project, see https://www.gnome.org

contains 24 rules
contains 6 rules

Disable the GNOME3 Login User List   [ref]rule

In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true.

To disable, add or edit disable-user-list to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
disable-user-list=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update.

Rationale:

Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.

Severity:  medium

Identifiers:  CCE-80106-8

References:  AC-23

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Disable the GNOME3 Login User List"
  ini_file:
    dest: /etc/dconf/db/gdm.d/00-security-settings
    section: org/gnome/login-screen
    option: disable-user-list
    value: true
    create: yes
  tags:
    - dconf_gnome_disable_user_list
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80106-8
    - NIST-800-53-AC-23

- name: "Prevent user modification of GNOME3 disablement of Login User List"
  lineinfile:
    path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/login-screen/disable-user-list'
    line: '/org/gnome/login-screen/disable-user-list'
  tags:
    - dconf_gnome_disable_user_list
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80106-8
    - NIST-800-53-AC-23

Disable the GNOME3 Login Restart and Shutdown Buttons   [ref]rule

In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability the ability to shutdown or restart the system. This functionality should be disabled by setting disable-restart-buttons to true.

To disable, add or edit disable-restart-buttons to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
disable-restart-buttons=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/disable-restart-buttons
After the settings have been set, run dconf update.

Rationale:

A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot.

Severity:  high

Identifiers:  CCE-80107-6

References:  RHEL-07-TBD, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.2

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Disable the GNOME3 Login Restart and Shutdown Buttons"
  ini_file:
    dest: /etc/dconf/db/gdm.d/00-security-settings
    section: org/gnome/login-screen
    option: disable-restart-buttons
    value: true
    create: yes
  tags:
    - dconf_gnome_disable_restart_shutdown
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80107-6
    - NIST-800-53-AC-6
    - NIST-800-171-3.1.2
    - DISA-STIG-RHEL-07-TBD

- name: "Prevent user modification of GNOME disablement of Login Restart and Shutdown Buttons"
  lineinfile:
    path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/login-screen/disable-restart-buttons'
    line: '/org/gnome/login-screen/disable-restart-buttons'
  tags:
    - dconf_gnome_disable_restart_shutdown
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80107-6
    - NIST-800-53-AC-6
    - NIST-800-171-3.1.2
    - DISA-STIG-RHEL-07-TBD

Enable the GNOME3 Login Smartcard Authentication   [ref]rule

In the default graphical environment, smart card authentication can be enabled on the login screen by setting enable-smartcard-authentication to true.

To enable, add or edit enable-smartcard-authentication to /etc/dconf/db/gdm.d/00-security-settings. For example:

[org/gnome/login-screen]
enable-smartcard-authentication=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/enable-smartcard-authentication
After the settings have been set, run dconf update.

Rationale:

Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.

Severity:  medium

Configure GNOME Screen Locking   [ref]group

In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting Lock.

The following sections detail commands to enforce idle activation of the screensaver, screen locking, a blank-screen screensaver, and an idle activation time.

Because users should be trained to lock the screen when they step away from the computer, the automatic locking feature is only meant as a backup.

The root account can be screen-locked; however, the root account should never be used to log into an X Windows environment and should only be used to for direct login via console in emergency circumstances.

For more information about enforcing preferences in the GNOME3 environment using the DConf configuration system, see http://wiki.gnome.org/dconf and the man page dconf(1). For Red Hat specific information on configuring DConf settings, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/part-Configuration_and_Administration.html

contains 8 rules

Set GNOME3 Screensaver Inactivity Timeout   [ref]rule

The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings:

[org/gnome/desktop/session]
idle-delay='uint32 900'
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.

Rationale:

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock.

Severity:  medium

Identifiers:  CCE-80110-0

References:  RHEL-07-010070, AC-11(a), CCI-000057, Req-8.1.8, SRG-OS-000029-GPOS-00010, 5.5.5, 3.1.10

Remediation Shell script:   (show)


inactivity_timeout_value="900"

# Define constants to be reused below
ORG_GNOME_DESKTOP_SESSION="org/gnome/desktop/session"
SSG_DCONF_IDLE_DELAY_FILE="/etc/dconf/db/local.d/10-scap-security-guide"
SESSION_LOCKS_FILE="/etc/dconf/db/local.d/locks/session"
IDLE_DELAY_DEFINED="FALSE"

# First update '[org/gnome/desktop/session] idle-delay' settings in
# /etc/dconf/db/local.d/* if already defined
for FILE in /etc/dconf/db/local.d/*
do
	if grep -q -d skip "$ORG_GNOME_DESKTOP_SESSION" "$FILE"
	then
		if grep 'idle-delay' "$FILE"
		then
			sed -i "s/idle-delay=.*/idle-delay=uint32 ${inactivity_timeout_value}/g" "$FILE"
			IDLE_DELAY_DEFINED="TRUE"
		fi
	fi
done

# Then define '[org/gnome/desktop/session] idle-delay' setting
# if still not defined yet
if [ "$IDLE_DELAY_DEFINED" != "TRUE" ]
then
	echo "" >> $SSG_DCONF_IDLE_DELAY_FILE
	echo "[org/gnome/desktop/session]" >>  $SSG_DCONF_IDLE_DELAY_FILE
	echo "idle-delay=uint32 ${inactivity_timeout_value}" >> $SSG_DCONF_IDLE_DELAY_FILE
fi

# Verify if 'idle-delay' modification is locked. If not, lock it
if ! grep -q "^/${ORG_GNOME_DESKTOP_SESSION}/idle-delay$" /etc/dconf/db/local.d/locks/*
then
	# Check if "$SESSION_LOCK_FILE" exists. If not, create it.
	if [ ! -f "$SESSION_LOCKS_FILE" ]
	then
		touch "$SESSION_LOCKS_FILE"
	fi
	echo "/${ORG_GNOME_DESKTOP_SESSION}/idle-delay" >> "$SESSION_LOCKS_FILE"
fi

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: XCCDF Value inactivity_timeout_value # promote to variable
  set_fact:
    inactivity_timeout_value: 900
  tags:
    - always

- name: "Set GNOME3 Screensaver Inactivity Timeout"
  ini_file:
    dest: "/etc/dconf/db/local/d/00-security-settings"
    section: "org/gnome/desktop/screensaver"
    option: idle-delay
    value: "{{ inactivity_timeout_value }}"
    create: yes
  tags:
    - dconf_gnome_screensaver_idle_delay
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80110-0
    - NIST-800-53-AC-11(a)
    - NIST-800-171-3.1.10
    - PCI-DSS-Req-8.1.8
    - CJIS-5.5.5
    - DISA-STIG-RHEL-07-010070

- name: "Prevent user modification of GNOME idle-delay"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/desktop/screensaver/idle-delay'
    line: '/org/gnome/desktop/screensaver/idle-delay'
  tags:
    - dconf_gnome_screensaver_idle_delay
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80110-0
    - NIST-800-53-AC-11(a)
    - NIST-800-171-3.1.10
    - PCI-DSS-Req-8.1.8
    - CJIS-5.5.5
    - DISA-STIG-RHEL-07-010070

Enable GNOME3 Screensaver Idle Activation   [ref]rule

To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
idle_activation_enabled=true
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.

Rationale:

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock.

Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area.

Severity:  medium

Identifiers:  CCE-80111-8

References:  RHEL-07-010100, AC-11(a), CCI-000057, SRG-OS-000029-GPOS-00010, Req-8.1.8, 5.5.5, 3.1.10

Remediation Shell script:   (show)


# Define constants to be reused below
ORG_GNOME_DESKTOP_SCREENSAVER="org/gnome/desktop/screensaver"
SSG_DCONF_IDLE_ACTIVATION_FILE="/etc/dconf/db/local.d/10-scap-security-guide"
SCREENSAVER_LOCKS_FILE="/etc/dconf/db/local.d/locks/screensaver"
IDLE_ACTIVATION_DEFINED="FALSE"

# First update '[org/gnome/desktop/screensaver] idle-activation-enabled' settings in
# /etc/dconf/db/local.d/* if already defined
for FILE in /etc/dconf/db/local.d/*
do
	if grep -q -d skip "$ORG_GNOME_DESKTOP_SCREENSAVER" "$FILE"
	then
		if grep 'idle-activation-enabled' "$FILE"
		then
			sed -i "s/idle-activation-enabled=.*/idle-activation-enabled=true/g" "$FILE"
			IDLE_ACTIVATION_DEFINED="TRUE"
		fi
	fi
done

# Then define '[org/gnome/desktop/screensaver] idle-activation-enabled' setting
# if still not defined yet
if [ "$IDLE_ACTIVATION_DEFINED" != "TRUE" ]
then
	echo "" >> $SSG_DCONF_IDLE_ACTIVATION_FILE
	echo "[org/gnome/desktop/screensaver]" >>  $SSG_DCONF_IDLE_ACTIVATION_FILE
	echo "idle-activation-enabled=true" >> $SSG_DCONF_IDLE_ACTIVATION_FILE
fi

# Verify if 'idle-activation-enabled' modification is locked. If not, lock it
if ! grep -q "^/${ORG_GNOME_DESKTOP_SCREENSAVER}/idle-activation-enabled$" /etc/dconf/db/local.d/locks/*
then
	# Check if "$SCREENSAVER_LOCK_FILE" exists. If not, create it.
	if [ ! -f "$SCREENSAVER_LOCKS_FILE" ]
	then
		touch "$SCREENSAVER_LOCKS_FILE"
	fi
	echo "/${ORG_GNOME_DESKTOP_SCREENSAVER}/idle-activation-enabled" >> "$SCREENSAVER_LOCKS_FILE"
fi

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Enable GNOME3 Screensaver Idle Activation"
  ini_file:
    dest: "/etc/dconf/db/local/d/00-security-settings"
    section: "org/gnome/desktop/screensaver"
    option: idle_activation_enabled
    value: true
    create: yes
  tags:
    - dconf_gnome_screensaver_idle_activation_enabled
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80111-8
    - NIST-800-53-AC-11(a)
    - NIST-800-171-3.1.10
    - PCI-DSS-Req-8.1.8
    - CJIS-5.5.5
    - DISA-STIG-RHEL-07-010100

- name: "Prevent user modification of GNOME idle_activation_enabled"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/desktop/screensaver/idle-activation-enabled'
    line: '/org/gnome/desktop/screensaver/idle-activation-enabled'
  tags:
    - dconf_gnome_screensaver_idle_activation_enabled
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80111-8
    - NIST-800-53-AC-11(a)
    - NIST-800-171-3.1.10
    - PCI-DSS-Req-8.1.8
    - CJIS-5.5.5
    - DISA-STIG-RHEL-07-010100

Enable GNOME3 Screensaver Lock After Idle Period   [ref]rule

To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.

Rationale:

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

Severity:  medium

Remediation Shell script:   (show)


var_screensaver_lock_delay="0"

# Define constants to be reused below
ORG_GNOME_DESKTOP_SCREENSAVER="org/gnome/desktop/screensaver"
SSG_DCONF_LOCK_ENABLED_FILE="/etc/dconf/db/local.d/10-scap-security-guide"
SCREENSAVER_LOCKS_FILE="/etc/dconf/db/local.d/locks/screensaver"
LOCK_ENABLED_DEFINED="FALSE"
LOCK_DELAY_DEFINED="FALSE"

# First update '[org/gnome/desktop/screensaver] lock-enabled' and
# '[org/gnome/desktop/screensaver] lock-delay' settings in
# /etc/dconf/db/local.d/* if already defined
for FILE in /etc/dconf/db/local.d/*
do
	if grep -q -d skip "$ORG_GNOME_DESKTOP_SCREENSAVER" "$FILE"
	then
		if grep 'lock-enabled' "$FILE"
		then
			sed -i "s/lock-enabled=.*/lock-enabled=true/g" "$FILE"
			LOCK_ENABLED_DEFINED="TRUE"
		fi
		if grep 'lock-delay' "$FILE"
		then
			sed -i "s/lock-delay=.*/lock-delay=uint32 0/g" "$FILE"
			LOCK_DELAY_DEFINED="TRUE"
		fi
	fi
done

# Then define '[org/gnome/desktop/screensaver] lock-enabled' setting
# if still not defined yet
if [ "$LOCK_ENABLED_DEFINED" != "TRUE" ] || [ "$LOCK_DELAY_DEFINED" != "TRUE" ]
then
	echo "" >> $SSG_DCONF_LOCK_ENABLED_FILE
	echo "[org/gnome/desktop/screensaver]" >>  $SSG_DCONF_LOCK_ENABLED_FILE
	echo "lock-enabled=true" >> $SSG_DCONF_LOCK_ENABLED_FILE
	echo "lock-delay=uint32 ${var_screensaver_lock_delay} " >> $SSG_DCONF_LOCK_ENABLED_FILE
fi

# Verify if 'lock-enabled' modification is locked. If not, lock it
if ! grep -q "^/${ORG_GNOME_DESKTOP_SCREENSAVER}/lock-enabled$" /etc/dconf/db/local.d/locks/*
then
	# Check if "$SCREENSAVER_LOCK_FILE" exists. If not, create it.
	if [ ! -f "$SCREENSAVER_LOCKS_FILE" ]
	then
		touch "$SCREENSAVER_LOCKS_FILE"
	fi
	echo "/${ORG_GNOME_DESKTOP_SCREENSAVER}/lock-enabled" >> "$SCREENSAVER_LOCKS_FILE"
fi


# Verify if 'lock-delay' modification is locked. If not, lock it
if ! grep -q "^/${ORG_GNOME_DESKTOP_SCREENSAVER}/lock-delay$" /etc/dconf/db/local.d/locks/*
then
        # Check if "$SCREENSAVER_LOCK_FILE" exists. If not, create it.
        if [ ! -f "$SCREENSAVER_LOCKS_FILE" ]
        then
                touch "$SCREENSAVER_LOCKS_FILE"
        fi
        echo "/${ORG_GNOME_DESKTOP_SCREENSAVER}/lock-delay" >> "$SCREENSAVER_LOCKS_FILE"
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Enable GNOME3 Screensaver Lock After Idle Period"
  ini_file:
    dest: "/etc/dconf/db/local/d/00-security-settings"
    section: "org/gnome/desktop/screensaver"
    option: lock-enabled
    value: true
    create: yes
  tags:
    - dconf_gnome_screensaver_lock_enabled
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80112-6
    - NIST-800-53-AC-11(b)
    - NIST-800-171-3.1.10
    - PCI-DSS-Req-8.1.8
    - CJIS-5.5.5
    - DISA-STIG-RHEL-07-010060

- name: "Prevent user modification of GNOME lock-enabled"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/desktop/screensaver/lock-enabled'
    line: '/org/gnome/desktop/screensaver/lock-enabled'
  tags:
    - dconf_gnome_screensaver_lock_enabled
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80112-6
    - NIST-800-53-AC-11(b)
    - NIST-800-171-3.1.10
    - PCI-DSS-Req-8.1.8
    - CJIS-5.5.5
    - DISA-STIG-RHEL-07-010060

Set GNOME3 Screensaver Lock Delay After Activation Period   [ref]rule

To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 0 in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
lock-delay=uint32 0
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.

Rationale:

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense.

Severity:  medium

Identifiers:  CCE-80370-0

References:  RHEL-07-010110, AC-11(a), CCI-000056, Req-8.1.8, OS-SRG-000029-GPOS-00010, 3.1.10

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Set GNOME3 Screensaver Lock Delay After Activation Period"
  ini_file:
    dest: "/etc/dconf/db/local/d/00-security-settings"
    section: "org/gnome/desktop/screensaver"
    option: lock-delay
    value: uint32 5
    create: yes
  tags:
    - dconf_gnome_screensaver_lock_delay
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80370-0
    - NIST-800-53-AC-11(a)
    - NIST-800-171-3.1.10
    - PCI-DSS-Req-8.1.8
    - DISA-STIG-RHEL-07-010110

- name: "Prevent user modification of GNOME lock-delay"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/desktop/screensaver/lock-delay'
    line: '/org/gnome/desktop/screensaver/lock-delay'
  tags:
    - dconf_gnome_screensaver_lock_delay
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80370-0
    - NIST-800-53-AC-11(a)
    - NIST-800-171-3.1.10
    - PCI-DSS-Req-8.1.8
    - DISA-STIG-RHEL-07-010110

Implement Blank Screensaver   [ref]rule

To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/screensaver]
picture-uri=string ''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.

Rationale:

Setting the screensaver mode to blank-only conceals the contents of the display from passersby.

Severity:  low

Identifiers:  CCE-80113-4

References:  AC-11(b), CCI-000060, Req-8.1.8, 5.5.5, 3.1.10

Remediation Shell script:   (show)


# Define constants to be reused below
ORG_GNOME_DESKTOP_SCREENSAVER="org/gnome/desktop/screensaver"
SSG_DCONF_MODE_BLANK_FILE="/etc/dconf/db/local.d/10-scap-security-guide"
SCREENSAVER_LOCKS_FILE="/etc/dconf/db/local.d/locks/screensaver"
MODE_BLANK_DEFINED="FALSE"

# First update '[org/gnome/desktop/screensaver] picture-uri' settings in
# /etc/dconf/db/local.d/* if already defined
for FILE in /etc/dconf/db/local.d/*
do
	if grep -q -d skip "$ORG_GNOME_DESKTOP_SCREENSAVER" "$FILE"
	then
		if grep 'picture-uri' "$FILE"
		then
			sed -i "s/picture-uri=.*/picture-uri=string ''/g" "$FILE"
			MODE_BLANK_DEFINED="TRUE"
		fi
	fi
done

# Then define '[org/gnome/desktop/screensaver] picture-uri' setting
# if still not defined yet
if [ "$MODE_BLANK_DEFINED" != "TRUE" ]
then
	echo "" >> $SSG_DCONF_MODE_BLANK_FILE
	echo "[org/gnome/desktop/screensaver]" >>  $SSG_DCONF_MODE_BLANK_FILE
	echo "picture-uri=string ''" >> $SSG_DCONF_MODE_BLANK_FILE
fi

# Verify if 'picture-uri' modification is locked. If not, lock it
if ! grep -q "^/${ORG_GNOME_DESKTOP_SCREENSAVER}/picture-uri$" /etc/dconf/db/local.d/locks/*
then
	# Check if "$SCREENSAVER_LOCK_FILE" exists. If not, create it.
	if [ ! -f "$SCREENSAVER_LOCKS_FILE" ]
	then
		touch "$SCREENSAVER_LOCKS_FILE"
	fi
	echo "/${ORG_GNOME_DESKTOP_SCREENSAVER}/picture-uri" >> "$SCREENSAVER_LOCKS_FILE"
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Implement Blank Screensaver"
  ini_file:
    dest: "/etc/dconf/db/local/d/00-security-settings"
    section: "org/gnome/desktop/screensaver"
    option: picture-uri
    value: string ''
    create: yes
  tags:
    - dconf_gnome_screensaver_mode_blank
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80113-4
    - NIST-800-53-AC-11(b)
    - NIST-800-171-3.1.10
    - PCI-DSS-Req-8.1.8
    - CJIS-5.5.5

- name: "Prevent user modification of GNOME picture-uri"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/desktop/screensaver/picture-uri'
    line: '/org/gnome/desktop/screensaver/picture-uri'
  tags:
    - dconf_gnome_screensaver_mode_blank
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80113-4
    - NIST-800-53-AC-11(b)
    - NIST-800-171-3.1.10
    - PCI-DSS-Req-8.1.8
    - CJIS-5.5.5

Ensure Users Cannot Change GNOME3 Screensaver Settings   [ref]rule

If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.

Rationale:

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.

Severity:  medium

Identifiers:  CCE-80371-8

References:  RHEL-07-010081, AC-11(a), CCI-000057, SRG-OS-00029-GPOS-0010, 3.1.10

Ensure Users Cannot Change GNOME3 Session Idle Settings   [ref]rule

If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:

/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.

Rationale:

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings.

Severity:  medium

Identifiers:  CCE-80544-0

References:  RHEL-07-010082, AC-11(a), CCI-000057, SRG-OS-00029-GPOS-0010, 3.1.10

GNOME System Settings   [ref]group

GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform actions that users normally would not be able to do in non-graphical mode such as remote access configuration, power policies, Geo-location, etc. Configuring such settings in GNOME will prevent accidential graphical configuration changes by users from taking place.

contains 3 rules

Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3   [ref]rule

By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to string '' in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/settings-daemon/plugins/media-keys]
logout=string ''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update.

Rationale:

A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

Severity:  high

Identifiers:  CCE-80124-1

References:  RHEL-07-TBD, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.2

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3"
  ini_file:
    dest: /etc/dconf/db/local.d/00-security-settings
    section: org/gnome/settings-daemon/plugins/media-keys
    option: logout
    value: string ''
    create: yes
  tags:
    - dconf_gnome_disable_ctrlaltdel_reboot
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80124-1
    - NIST-800-53-AC-6
    - NIST-800-171-3.1.2
    - DISA-STIG-RHEL-07-TBD

- name: "Prevent user modification of GNOME disablement of Ctrl-Alt-Del"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/settings-daemon/plugins/media-keys/logout'
    line: '/org/gnome/settings-daemon/plugins/media-keys/logout'
  tags:
    - dconf_gnome_disable_ctrlaltdel_reboot
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80124-1
    - NIST-800-53-AC-6
    - NIST-800-171-3.1.2
    - DISA-STIG-RHEL-07-TBD

Disable User Administration in GNOME3   [ref]rule

By default, GNOME will allow all users to have some administratrion capability. This should be disabled so that non-administrative users are not making configuration changes. To configure the system to disable user administration capability in the Graphical User Interface (GUI), add or set user-administration-disabled to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/lockdown]
user-administration-disabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/lockdown/user-administration-disabled
After the settings have been set, run dconf update.

Rationale:

Allowing all users to have some administratrive capabilities to the system through the Graphical User Interface (GUI) when they would not have them otherwise could allow unintended configuration changes as well as a nefarious user the capability to make system changes such as adding new accounts, etc.

Severity:  high

Identifiers:  CCE-80115-9

References:  3.1.5

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Disable User Administration in GNOME3"
  ini_file:
    dest: /etc/dconf/db/local.d/00-security-settings
    section: org/gnome/desktop/lockdown
    option: user-administration-disabled
    value: true
    create: yes
  tags:
    - dconf_gnome_disable_user_admin
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80115-9
    - NIST-800-171-3.1.5

- name: "Prevent user modification of GNOME3 Thumbnailers"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/desktop/lockdown/user-administration-disabled'
    line: '/org/gnome/desktop/lockdown/user-administration-disabled'
  tags:
    - dconf_gnome_disable_user_admin
    - high_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80115-9
    - NIST-800-171-3.1.5

Disable Geolocation in GNOME3   [ref]rule

GNOME allows the clock and applications to track and access location information. This setting should be disabled as applications should not track system location. To configure the system to disable location tracking, add or set enabled to false in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/system/location]
enabled=false
To configure the clock to disable location tracking, add or set geolocation to false in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/clocks]
geolocation=false
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/system/location/enabled
/org/gnome/clocks/geolocation
After the settings have been set, run dconf update.

Rationale:

Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems.

Severity:  medium

Identifiers:  CCE-80117-5

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Disable Geolocation in GNOME3 - location tracking"
  ini_file:
    dest: /etc/dconf/db/local.d/00-security-settings
    section: org/gnome/system/location
    option: enabled
    value: false
    create: yes
  tags:
    - dconf_gnome_disable_geolocation
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80117-5

- name: "Disable Geolocation in GNOME3 - clock location tracking"
  ini_file:
    dest: /etc/dconf/db/local.d/00-security-settings
    section: org/gnome/clocks
    option: gelocation
    value: false
    create: yes

- name: "Prevent user modification of GNOME geolocation - location tracking"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/system/location/enabled'
    line: '/org/gnome/system/location/enabled'
  tags:
    - dconf_gnome_disable_geolocation
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80117-5

- name: "Prevent user modification of GNOME geolocation - clock location tracking"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/clocks/geolocation'
    line: '/org/gnome/clocks/geolocation'
  tags:
    - dconf_gnome_disable_geolocation
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80117-5

GNOME Network Settings   [ref]group

GNOME network settings that apply to the graphical interface.

contains 2 rules

Disable WIFI Network Connection Creation in GNOME3   [ref]rule

GNOME allows users to create ad-hoc wireless connections through the NetworkManager applet. Wireless connections should be disabled by adding or setting disable-wifi-create to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/nm-applet]
disable-wifi-create=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/nm-applet/disable-wifi-create
After the settings have been set, run dconf update.

Rationale:

Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks.

Severity:  medium

Identifiers:  CCE-80118-3

References:  3.1.16

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Disable WiFi Network Connection Creation in GNOME3"
  ini_file:
    dest: /etc/dconf/db/local.d/00-security-settings
    section: org/gnome/nm-applet
    option: disable-wifi-create
    value: true
    create: yes
  tags:
    - dconf_gnome_disable_wifi_create
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80118-3
    - NIST-800-171-3.1.16

- name: "Prevent user modification of GNOME3 disablement of WiFi"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/nm-applet/disable-wifi-create'
    line: '/org/gnome/nm-applet/disable-wifi-create'
  tags:
    - dconf_gnome_disable_wifi_create
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80118-3
    - NIST-800-171-3.1.16

Disable WIFI Network Notification in GNOME3   [ref]rule

By default, GNOME disables WIFI notification. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, add or set suppress-wireless-networks-available to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/nm-applet]
suppress-wireless-networks-available=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/nm-applet/suppress-wireless-networks-available
After the settings have been set, run dconf update.

Rationale:

Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks.

Severity:  medium

Identifiers:  CCE-80119-1

References:  3.1.16

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Disable WiFi Network Notification in GNOME3"
  ini_file:
    dest: /etc/dconf/db/local.d/00-security-settings
    section: org/gnome/nm-applet
    option: suppress-wireless-networks-available
    value: true
    create: yes
  tags:
    - dconf_gnome_disable_wifi_notification
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80119-1
    - NIST-800-171-3.1.16

- name: "Prevent user modification of GNOME3 disablement of WiFi"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/nm-applet/suppress-wireless-networks-available'
    line: '/org/gnome/nm-applet/suppress-wireless-networks-available'
  tags:
    - dconf_gnome_disable_wifi_notification
    - medium_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80119-1
    - NIST-800-171-3.1.16

GNOME Remote Access Settings   [ref]group

GNOME remote access settings that apply to the graphical interface.

contains 2 rules

Require Credential Prompting for Remote Access in GNOME3   [ref]rule

By default, GNOME does not require credentials when using Vino for remote access. To configure the system to require remote credentials, add or set authentication-methods to ['vnc'] in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/Vino]
authentication-methods=['vnc']
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update.

Rationale:

Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely.

Severity:  medium

Identifiers:  CCE-80120-9

References:  3.1.12

Require Encryption for Remote Access in GNOME3   [ref]rule

By default, GNOME requires encryption when using Vino for remote access. To prevent remote access encryption from being disabled, add or set require-encryption to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/Vino]
require-encryption=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update.

Rationale:

Open X displays allow an attacker to capture keystrokes and to execute commands remotely.

Severity:  medium

Identifiers:  CCE-80121-7

References:  RHEL-07-TBD, CM-2(1)(b), CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.13

GNOME Media Settings   [ref]group

GNOME media settings that apply to the graphical interface.

contains 2 rules

Disable GNOME3 Automounting   [ref]rule

The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount and autorun within GNOME3, add or set automount to false, automount-open to false, and autorun-never to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/media-handling]
automount=false
automount-open=false
autorun-never=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/media-handling/automount
/org/gnome/desktop/media-handling/automount-open
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.

Rationale:

Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media.

Severity:  low

Identifiers:  CCE-80122-5

References:  AC-19(a), AC-19(d), AC-19(e), 3.1.7

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Disable GNOME3 Automounting - automount"
  ini_file:
    dest: /etc/dconf/db/local.d/00-security-settings
    section: org/gnome/desktop/media-handling
    option: automount
    value: false
    create: yes
  tags:
    - dconf_gnome_disable_automount
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80122-5
    - NIST-800-53-AC-19(a)
    - NIST-800-53-AC-19(d)
    - NIST-800-53-AC-19(e)
    - NIST-800-171-3.1.7

- name: "Prevent user modification of GNOME3 Automounting - automount"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/desktop/media-handling/automount'
    line: '/org/gnome/desktop/media-handling/automount'
  tags:
    - dconf_gnome_disable_automount
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80122-5
    - NIST-800-53-AC-19(a)
    - NIST-800-53-AC-19(d)
    - NIST-800-53-AC-19(e)
    - NIST-800-171-3.1.7

- name: "Disable GNOME3 Automounting - automount-open"
  ini_file:
    dest: /etc/dconf/db/local.d/00-security-settings
    section: org/gnome/desktop/media-handling
    option: automount-open
    value: false
    create: yes
  tags:
    - dconf_gnome_disable_automount
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80122-5
    - NIST-800-53-AC-19(a)
    - NIST-800-53-AC-19(d)
    - NIST-800-53-AC-19(e)
    - NIST-800-171-3.1.7

- name: "Prevent user modification of GNOME3 Automounting - automount-open"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/desktop/media-handling/automount-open'
    line: '/org/gnome/desktop/media-handling/automount-open'
  tags:
    - dconf_gnome_disable_automount
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80122-5
    - NIST-800-53-AC-19(a)
    - NIST-800-53-AC-19(d)
    - NIST-800-53-AC-19(e)
    - NIST-800-171-3.1.7

- name: "Disable GNOME3 Automounting - autorun-never"
  ini_file:
    dest: /etc/dconf/db/local.d/00-security-settings
    section: org/gnome/desktop/media-handling
    option: autorun-never
    value: true
    create: yes
  tags:
    - dconf_gnome_disable_automount
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80122-5
    - NIST-800-53-AC-19(a)
    - NIST-800-53-AC-19(d)
    - NIST-800-53-AC-19(e)
    - NIST-800-171-3.1.7

- name: "Prevent user modification of GNOME3 Automounting - autorun-never"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/desktop/media-handling/autorun-never'
    line: '/org/gnome/desktop/media-handling/autorun-never'
  tags:
    - dconf_gnome_disable_automount
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80122-5
    - NIST-800-53-AC-19(a)
    - NIST-800-53-AC-19(d)
    - NIST-800-53-AC-19(e)
    - NIST-800-171-3.1.7

Disable All GNOME3 Thumbnailers   [ref]rule

The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. To disable the execution of these thumbnail applications, add or set disable-all to true in /etc/dconf/db/local.d/00-security-settings. For example:

[org/gnome/desktop/thumbnailers]
disable-all=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/thumbnailers/disable-all
After the settings have been set, run dconf update. This effectively prevents an attacker from gaining access to a system through a flaw in GNOME3's Nautilus thumbnail creators.

Rationale:

An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required.

Severity:  low

Identifiers:  CCE-80123-3

References:  CM-7

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
- name: "Disable All GNOME3 Thumbnailers"
  ini_file:
    dest: /etc/dconf/db/local.d/00-security-settings
    section: org/gnome/desktop/thumbnailers
    option: disable-all
    value: true
    create: yes
  tags:
    - dconf_gnome_disable_thumbnailers
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80123-3
    - NIST-800-53-CM-7

- name: "Prevent user modification of GNOME3 Thumbnailers"
  lineinfile:
    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
    regexp: '^/org/gnome/desktop/thumbnailers/disable-all'
    line: '/org/gnome/desktop/thumbnailers/disable-all'
  tags:
    - dconf_gnome_disable_thumbnailers
    - low_severity
    - unknown_strategy
    - low_complexity
    - medium_disruption
    - CCE-80123-3
    - NIST-800-53-CM-7

File Permissions and Masks   [ref]group

Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access.

Several of the commands in this section search filesystems for files or directories with certain characteristics, and are intended to be run on every local partition on a given system. When the variable PART appears in one of the commands below, it means that the command is intended to be run repeatedly, with the name of each local partition substituted for PART in turn.

The following command prints a list of all xfs partitions on the local system, which is the default filesystem for Red Hat Enterprise Linux 7 installations:

$ mount -t xfs | awk '{print $3}'
For any systems that use a different local filesystem type, modify this command as appropriate.

contains 20 rules

Restrict Partition Mount Options   [ref]group

System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the /etc/fstab configuration file, and can be used to make certain types of malicious behavior more difficult.

contains 3 rules

Add nodev Option to Removable Media Partitions   [ref]rule

The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale:

The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems.

Severity:  low

Identifiers:  CCE-80146-4

References:  AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, 1.1.18

Remediation Shell script:   (show)


var_removable_partition="(N/A)"

NEW_OPT="nodev"

if [ $(grep "$var_removable_partition" /etc/fstab | grep -c "$NEW_OPT" ) -eq 0 ]; then
  MNT_OPTS=$(grep "$var_removable_partition" /etc/fstab | awk '{print $4}')
  sed -i "s|\($var_removable_partition.*${MNT_OPTS}\)|\1,${NEW_OPT}|" /etc/fstab
fi

Add noexec Option to Removable Media Partitions   [ref]rule

The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale:

Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.

Severity:  low

Identifiers:  CCE-80147-2

References:  AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, CCI-000087, 1.1.20

Remediation Shell script:   (show)


var_removable_partition="(N/A)"

NEW_OPT="noexec"

if [ $(grep "$var_removable_partition" /etc/fstab | grep -c "$NEW_OPT" ) -eq 0 ]; then
  MNT_OPTS=$(grep "$var_removable_partition" /etc/fstab | awk '{print $4}')
  sed -i "s|\($var_removable_partition.*${MNT_OPTS}\)|\1,${NEW_OPT}|" /etc/fstab
fi

Add nosuid Option to Removable Media Partitions   [ref]rule

The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions.

Rationale:

The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.

Severity:  low

Remediation Shell script:   (show)


var_removable_partition="(N/A)"

NEW_OPT="nosuid"

if [ $(grep "$var_removable_partition" /etc/fstab | grep -c "$NEW_OPT" ) -eq 0 ]; then
  MNT_OPTS=$(grep "$var_removable_partition" /etc/fstab | awk '{print $4}')
  sed -i "s|\($var_removable_partition.*${MNT_OPTS}\)|\1,${NEW_OPT}|" /etc/fstab
fi

Restrict Dynamic Mounting and Unmounting of Filesystems   [ref]group

Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary in many environments, but this capability also carries some risk -- whether direct risk from allowing users to introduce arbitrary filesystems, or risk that software flaws in the automated mount facility itself could allow an attacker to compromise the system.

This command can be used to list the types of filesystems that are available to the currently executing kernel:

$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
If these filesystems are not required then they can be explicitly disabled in a configuratio file in /etc/modprobe.d.

contains 9 rules

Disable Modprobe Loading of USB Storage Driver   [ref]rule

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.

Rationale:

USB storage devices such as thumb drives can be used to introduce malicious software.

Severity:  medium

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
if grep --silent "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then
	sed -i 's/^install usb-storage.*/install usb-storage /bin/true/g' /etc/modprobe.d/usb-storage.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf
	echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'usb-storage' is disabled
  lineinfile:
    create=yes
    dest="/etc/modprobe.d/{{item}}.conf"
    regexp="{{item}}"
    line="install {{item}} /bin/true"
  with_items:
    - usb-storage
  tags:
    - kernel_module_usb-storage_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - CCE-27277-3
    - NIST-800-53-AC-19(a)
    - NIST-800-53-AC-19(d)
    - NIST-800-53-AC-19(e)
    - NIST-800-53-IA-3
    - NIST-800-171-3.1.21
    - DISA-STIG-RHEL-07-020100

Disable Kernel Support for USB via Bootloader Configuration   [ref]rule

All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, append "nousb" to the kernel line in /etc/default/grub as shown:

kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
WARNING: Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common.

Rationale:

Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems.

Severity:  low

Identifiers:  CCE-26548-8

References:  AC-19(a), AC-19(d), AC-19(e), CCI-001250

Remediation Shell script:   (show)


# Correct the form of default kernel command line in /etc/default/grub
if ! grep -q ^GRUB_CMDLINE_LINUX=\".*nousb.*\" /etc/default/grub;
then
  # Edit configuration setting
  # Append 'nousb' argument to /etc/default/grub (if not present yet)
  sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 nousb\"/" /etc/default/grub
  # Edit runtime setting
  # Correct the form of kernel command line for each installed kernel in the bootloader
  /sbin/grubby --update-kernel=ALL --args="nousb"
fi

Disable the Automounter   [ref]rule

The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:

$ sudo systemctl disable autofs.service

Rationale:

Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.

Severity:  medium

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:disable
# Function to enable/disable and start/stop services on RHEL and Fedora systems.
#
# Example Call(s):
#
#     service_command enable bluetooth
#     service_command disable bluetooth.service
#
#     Using xinetd:
#     service_command disable rsh.socket xinetd=rsh
#
function service_command {

# Load function arguments into local variables
local service_state=$1
local service=$2
local xinetd=$(echo $3 | cut -d'=' -f2)

# Check sanity of the input
if [ $# -lt "2" ]
then
  echo "Usage: service_command 'enable/disable' 'service_name.service'"
  echo
  echo "To enable or disable xinetd services add \'xinetd=service_name\'"
  echo "as the last argument"  
  echo "Aborting."
  exit 1
fi

# If systemctl is installed, use systemctl command; otherwise, use the service/chkconfig commands
if [ -f "/usr/bin/systemctl" ] ; then
  service_util="/usr/bin/systemctl"
else
  service_util="/sbin/service"
  chkconfig_util="/sbin/chkconfig"
fi

# If disable is not specified in arg1, set variables to enable services.
# Otherwise, variables are to be set to disable services.
if [ "$service_state" != 'disable' ] ; then
  service_state="enable"
  service_operation="start"
  chkconfig_state="on"
else
  service_state="disable"
  service_operation="stop"
  chkconfig_state="off"
fi

# If chkconfig_util is not empty, use chkconfig/service commands.
if ! [ "x$chkconfig_util" = x ] ; then
  $service_util $service $service_operation
  $chkconfig_util --level 0123456 $service $chkconfig_state
else
  $service_util $service_operation $service
  $service_util $service_state $service
fi

# Test if local variable xinetd is empty using non-bashism.
# If empty, then xinetd is not being used.
if ! [ "x$xinetd" = x ] ; then
  grep -qi disable /etc/xinetd.d/$xinetd && \

  if ! [ "$service_operation" != 'disable' ] ; then
    sed -i "s/disable.*/disable         = no/gI" /etc/xinetd.d/$xinetd
  else
    sed -i "s/disable.*/disable         = yes/gI" /etc/xinetd.d/$xinetd
  fi
fi

}

service_command disable autofs
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:disable
- name: Disable service autofs
  service:
    name="{{item}}"
    enabled="no"
    state="stopped"
  with_items:
    - autofs
  tags:
    - service_autofs_disabled
    - medium_severity
    - disable_strategy
    - low_complexity
    - low_disruption
    - CCE-27498-5
    - NIST-800-53-AC-19(a)
    - NIST-800-53-AC-19(d)
    - NIST-800-53-AC-19(e)
    - NIST-800-53-IA-3
    - NIST-800-171-3.4.6
    - DISA-STIG-RHEL-07-020110

Disable Mounting of cramfs   [ref]rule

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install cramfs /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale:

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Severity:  low

Identifiers:  CCE-80137-3

References:  CM-7, 1.1.1.1, 3.4.6

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
if grep --silent "^install cramfs" /etc/modprobe.d/cramfs.conf ; then
	sed -i 's/^install cramfs.*/install cramfs /bin/true/g' /etc/modprobe.d/cramfs.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf
	echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'cramfs' is disabled
  lineinfile:
    create=yes
    dest="/etc/modprobe.d/{{item}}.conf"
    regexp="{{item}}"
    line="install {{item}} /bin/true"
  with_items:
    - cramfs
  tags:
    - kernel_module_cramfs_disabled
    - low_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - CCE-80137-3
    - NIST-800-53-CM-7
    - NIST-800-171-3.4.6

Disable Mounting of freevxfs   [ref]rule

To configure the system to prevent the freevxfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install freevxfs /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale:

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Severity:  low

Identifiers:  CCE-80138-1

References:  CM-7, 1.1.1.2, 3.4.6

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
if grep --silent "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then
	sed -i 's/^install freevxfs.*/install freevxfs /bin/true/g' /etc/modprobe.d/freevxfs.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf
	echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'freevxfs' is disabled
  lineinfile:
    create=yes
    dest="/etc/modprobe.d/{{item}}.conf"
    regexp="{{item}}"
    line="install {{item}} /bin/true"
  with_items:
    - freevxfs
  tags:
    - kernel_module_freevxfs_disabled
    - low_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - CCE-80138-1
    - NIST-800-53-CM-7
    - NIST-800-171-3.4.6

Disable Mounting of jffs2   [ref]rule

To configure the system to prevent the jffs2 kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install jffs2 /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale:

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Severity:  low

Identifiers:  CCE-80139-9

References:  CM-7, 1.1.1.3, 3.4.6

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
if grep --silent "^install jffs2" /etc/modprobe.d/jffs2.conf ; then
	sed -i 's/^install jffs2.*/install jffs2 /bin/true/g' /etc/modprobe.d/jffs2.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf
	echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'jffs2' is disabled
  lineinfile:
    create=yes
    dest="/etc/modprobe.d/{{item}}.conf"
    regexp="{{item}}"
    line="install {{item}} /bin/true"
  with_items:
    - jffs2
  tags:
    - kernel_module_jffs2_disabled
    - low_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - CCE-80139-9
    - NIST-800-53-CM-7
    - NIST-800-171-3.4.6

Disable Mounting of hfs   [ref]rule

To configure the system to prevent the hfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install hfs /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale:

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Severity:  low

Identifiers:  CCE-80140-7

References:  CM-7, 1.1.1.4, 3.4.6

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
if grep --silent "^install hfs" /etc/modprobe.d/hfs.conf ; then
	sed -i 's/^install hfs.*/install hfs /bin/true/g' /etc/modprobe.d/hfs.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf
	echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'hfs' is disabled
  lineinfile:
    create=yes
    dest="/etc/modprobe.d/{{item}}.conf"
    regexp="{{item}}"
    line="install {{item}} /bin/true"
  with_items:
    - hfs
  tags:
    - kernel_module_hfs_disabled
    - low_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - CCE-80140-7
    - NIST-800-53-CM-7
    - NIST-800-171-3.4.6

Disable Mounting of hfsplus   [ref]rule

To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install hfsplus /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale:

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Severity:  low

Identifiers:  CCE-80141-5

References:  CM-7, 1.1.1.5, 3.4.6

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
if grep --silent "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then
	sed -i 's/^install hfsplus.*/install hfsplus /bin/true/g' /etc/modprobe.d/hfsplus.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf
	echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'hfsplus' is disabled
  lineinfile:
    create=yes
    dest="/etc/modprobe.d/{{item}}.conf"
    regexp="{{item}}"
    line="install {{item}} /bin/true"
  with_items:
    - hfsplus
  tags:
    - kernel_module_hfsplus_disabled
    - low_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - CCE-80141-5
    - NIST-800-53-CM-7
    - NIST-800-171-3.4.6

Disable Mounting of squashfs   [ref]rule

To configure the system to prevent the squashfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:

install squashfs /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale:

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Severity:  low

Identifiers:  CCE-80142-3

References:  CM-7, 1.1.1.6, 3.4.6

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
if grep --silent "^install squashfs" /etc/modprobe.d/squashfs.conf ; then
	sed -i 's/^install squashfs.*/install squashfs /bin/true/g' /etc/modprobe.d/squashfs.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/squashfs.conf
	echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure kernel module 'squashfs' is disabled
  lineinfile:
    create=yes
    dest="/etc/modprobe.d/{{item}}.conf"
    regexp="{{item}}"
    line="install {{item}} /bin/true"
  with_items:
    - squashfs
  tags:
    - kernel_module_squashfs_disabled
    - low_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - CCE-80142-3
    - NIST-800-53-CM-7
    - NIST-800-171-3.4.6

Verify Permissions on Important Files and Directories   [ref]group

Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen.

contains 3 rules

Ensure All Files Are Owned by a User   [ref]rule

If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user.

Rationale:

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

Severity:  medium

Identifiers:  CCE-80134-0

References:  RHEL-07-020320, AC-3(4), AC-6, CM-6(b), CCI-002165, SRG-OS-000480-GPOS-00227, 6.1.11

Ensure All Files Are Owned by a Group   [ref]rule

If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

Rationale:

Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.

Severity:  medium

Identifiers:  CCE-80135-7

References:  RHEL-07-020330, AC-3(4), AC-6, IA-2, CCI-002165, SRG-OS-000480-GPOS-00227, 6.1.12

Ensure All World-Writable Directories Are Owned by a System Account   [ref]rule

All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.

Rationale:

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

Severity:  low

Identifiers:  CCE-80136-5

References:  RHEL-07-021030, AC-6, CCI-000366, SRG-OS-000480-GPOS-00227

Restrict Programs from Dangerous Execution Patterns   [ref]group

The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the system initialization or kernel level, and defend against certain types of badly-configured or compromised programs.

contains 5 rules

Disable Core Dumps   [ref]group

A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to access these files. The core dump files may also contain sensitive information, or unnecessarily occupy large amounts of disk space.

Once a hard limit is set in /etc/security/limits.conf, a user cannot increase that limit within his or her own session. If access to core dumps is required, consider restricting them to only certain users or groups. See the limits.conf man page for more information.

The core dumps of setuid programs are further protected. The sysctl variable fs.suid_dumpable controls whether the kernel allows core dumps from these programs at all. The default value of 0 is recommended.

contains 1 rule

Disable Core Dumps for SUID programs   [ref]rule

To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command:

$ sudo sysctl -w fs.suid_dumpable=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
fs.suid_dumpable = 0

Rationale:

The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.

Severity:  low

Identifiers:  CCE-26900-1

References:  SI-11, 1.5.1

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable


#
# Set runtime for fs.suid_dumpable
#
/sbin/sysctl -q -n -w fs.suid_dumpable=0

#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
#	else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/sysctl.conf' '^fs.suid_dumpable' "0" 'CCE-26900-1'
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure sysctl fs.suid_dumpable is set to 0
  sysctl:
    name: fs.suid_dumpable
    value: 0
    state: present
    reload: yes
  tags:
    - sysctl_fs_suid_dumpable
    - low_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - CCE-26900-1
    - NIST-800-53-SI-11

Enable ExecShield   [ref]group

ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and other memory regions, prevention of execution in memory that should only hold data, and special handling of text buffers. These protections are enabled by default on 32-bit systems and controlled through sysctl variables kernel.exec-shield and kernel.randomize_va_space. On the latest 64-bit systems, kernel.exec-shield cannot be enabled or disabled with sysctl.

contains 2 rules

Enable ExecShield   [ref]rule

By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is enabled and can only be disabled if the hardware does not support ExecShield or is disabled in /etc/default/grub. For Red Hat Enterprise Linux 7 32-bit systems, sysctl can be used to enable ExecShield.

Rationale:

ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.

Severity:  medium

Identifiers:  CCE-27211-2

References:  SC-39, CCI-002530, 3.1.7, 1.5.2

Remediation Shell script:   (show)



if [ $(getconf LONG_BIT) = "32" ] ; then
  #
  # Set runtime for kernel.exec-shield
  #
  sysctl -q -n -w kernel.exec-shield=1

  #
  # If kernel.exec-shield present in /etc/sysctl.conf, change value to "1"
  #	else, add "kernel.exec-shield = 1" to /etc/sysctl.conf
  #
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

  replace_or_append '/etc/sysctl.conf' '^kernel.exec-shield' '1' 'CCE-27211-2'
fi

if [ $(getconf LONG_BIT) = "64" ] ; then
  if grep --silent noexec /boot/grub2/grub*.cfg ; then 
        sed -i "s/noexec.*//g" /etc/default/grub
        sed -i "s/noexec.*//g" /etc/grub.d/*
        GRUBCFG=`ls | grep '.cfg$'`
        grub2-mkconfig -o /boot/grub2/$GRUBCFG
  fi
fi

Enable Randomized Layout of Virtual Address Space   [ref]rule

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:

$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.randomize_va_space = 2

Rationale:

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

Severity:  medium

Identifiers:  CCE-27127-0

References:  SC-30(2), 1.5.1, 3.1.7, CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-07-040201

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' 'CCE-27127-0'
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure sysctl kernel.randomize_va_space is set to 2
  sysctl:
    name: kernel.randomize_va_space
    value: 2
    state: present
    reload: yes
  tags:
    - sysctl_kernel_randomize_va_space
    - medium_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - CCE-27127-0
    - NIST-800-53-SC-30(2)
    - NIST-800-171-3.1.7
    - DISA-STIG-RHEL-07-040201

Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems   [ref]group

Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.

contains 1 rule

Install PAE Kernel on Supported 32-bit x86 Systems   [ref]rule

Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support:

$ sudo yum install kernel-PAE
The installation process should also have configured the bootloader to load the new kernel at boot. Verify this at reboot and modify /etc/default/grub if necessary.

Warning:  The kernel-PAE package should not be installed on older systems that do not support the XD or NX bit, as this may prevent them from booting.
Rationale:

On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.

Severity:  low

Identifiers:  CCE-27116-3

References:  CM-6(b), 3.1.7

Restrict Access to Kernel Message Buffer   [ref]rule

To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:

$ sudo sysctl -w kernel.dmesg_restrict=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.dmesg_restrict = 1

Rationale:

Unprivileged access to the kernel syslog can expose sensitive kernel address information.

Severity:  low

Identifiers:  CCE-27050-4

References:  SI-11, CCI-001314, 3.1.5

Remediation Shell script:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable


#
# Set runtime for kernel.dmesg_restrict
#
/sbin/sysctl -q -n -w kernel.dmesg_restrict=1

#
# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf
#
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/sysctl.conf' '^kernel.dmesg_restrict' "1" 'CCE-27050-4'
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure sysctl kernel.dmesg_restrict is set to 1
  sysctl:
    name: kernel.dmesg_restrict
    value: 1
    state: present
    reload: yes
  tags:
    - sysctl_kernel_dmesg_restrict
    - low_severity
    - disable_strategy
    - low_complexity
    - medium_disruption
    - CCE-27050-4
    - NIST-800-53-SI-11
    - NIST-800-171-3.1.5

SELinux   [ref]group

SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take.

The default SELinux policy, as configured on Red Hat Enterprise Linux 7, has been sufficiently developed and debugged that it should be usable on almost any Red Hat system with minimal configuration and a small amount of system administrator training. This policy prevents system services - including most of the common network-visible services such as mail servers, FTP servers, and DNS servers - from accessing files which those services have no valid reason to access. This action alone prevents a huge amount of possible damage from network attacks against services, from trojaned software, and so forth.

This guide recommends that SELinux be enabled using the default (targeted) policy on every Red Hat system, unless that system has unusual requirements which make a stronger policy appropriate.

For more information on SELinux, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide

contains 66 rules

SELinux - Booleans   [ref]group

Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy.

contains 61 rules

Disable the abrt_anon_write SELinux Boolean   [ref]rule

By default, the SELinux boolean abrt_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the abrt_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P abrt_anon_write off

Rationale:

Severity:  medium

Identifiers:  CCE-80419-5

References:  RHEL-07-TBD, TBD, NaN, TBD, 3.7.2

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_abrt_anon_write="false"

setsebool -P abrt_anon_write var_abrt_anon_write
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_abrt_anon_write # promote to variable
  set_fact:
    var_abrt_anon_write: false
  tags:
    - always

- name: Set SELinux boolean abrt_anon_write accordingly
  seboolean:
    name: abrt_anon_write
    state: "{{ var_abrt_anon_write }}"
    persistent: yes
  tags:
    - sebool_abrt_anon_write
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-80419-5
    - NIST-800-53-TBD
    - NIST-800-171-3.7.2
    - DISA-STIG-RHEL-07-TBD

Disable the abrt_handle_event SELinux Boolean   [ref]rule

By default, the SELinux boolean abrt_handle_event is disabled. If this setting is enabled, it should be disabled. To disable the abrt_handle_event SELinux boolean, run the following command:

$ sudo setsebool -P abrt_handle_event off

Rationale:

Severity:  medium

Identifiers:  CCE-80420-3

References:  RHEL-07-TBD, TBD, NaN, TBD, 3.7.2

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_abrt_handle_event="false"

setsebool -P abrt_handle_event var_abrt_handle_event
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_abrt_handle_event # promote to variable
  set_fact:
    var_abrt_handle_event: false
  tags:
    - always

- name: Set SELinux boolean abrt_handle_event accordingly
  seboolean:
    name: abrt_handle_event
    state: "{{ var_abrt_handle_event }}"
    persistent: yes
  tags:
    - sebool_abrt_handle_event
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-80420-3
    - NIST-800-53-TBD
    - NIST-800-171-3.7.2
    - DISA-STIG-RHEL-07-TBD

Disable the abrt_upload_watch_anon_write SELinux Boolean   [ref]rule

By default, the SELinux boolean abrt_upload_watch_anon_write is enabled. This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT) to modify public files used for public file transfer services. To disable the abrt_upload_watch_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P abrt_upload_watch_anon_write off

Rationale:

Severity:  medium

Identifiers:  CCE-80421-1

References:  RHEL-07-TBD, TBD, NaN, TBD, 3.7.2

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_abrt_upload_watch_anon_write="true"

setsebool -P abrt_upload_watch_anon_write var_abrt_upload_watch_anon_write
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_abrt_upload_watch_anon_write # promote to variable
  set_fact:
    var_abrt_upload_watch_anon_write: true
  tags:
    - always

- name: Set SELinux boolean abrt_upload_watch_anon_write accordingly
  seboolean:
    name: abrt_upload_watch_anon_write
    state: "{{ var_abrt_upload_watch_anon_write }}"
    persistent: yes
  tags:
    - sebool_abrt_upload_watch_anon_write
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-80421-1
    - NIST-800-53-TBD
    - NIST-800-171-3.7.2
    - DISA-STIG-RHEL-07-TBD

Enable the auditadm_exec_content SELinux Boolean   [ref]rule

By default, the SELinux boolean auditadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the auditadm_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P auditadm_exec_content on

Rationale:

Severity:  medium

Identifiers:  CCE-80424-5

References:  RHEL-07-TBD, TBD, NaN, TBD, 80424-5

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_auditadm_exec_content="true"

setsebool -P auditadm_exec_content var_auditadm_exec_content
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_auditadm_exec_content # promote to variable
  set_fact:
    var_auditadm_exec_content: true
  tags:
    - always

- name: Set SELinux boolean auditadm_exec_content accordingly
  seboolean:
    name: auditadm_exec_content
    state: "{{ var_auditadm_exec_content }}"
    persistent: yes
  tags:
    - sebool_auditadm_exec_content
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-80424-5
    - NIST-800-53-TBD
    - NIST-800-171-80424-5
    - DISA-STIG-RHEL-07-TBD

Disable the cron_can_relabel SELinux Boolean   [ref]rule

By default, the SELinux boolean cron_can_relabel is disabled. If this setting is enabled, it should be disabled. To disable the cron_can_relabel SELinux boolean, run the following command:

$ sudo setsebool -P cron_can_relabel off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_cron_can_relabel="false"

setsebool -P cron_can_relabel var_cron_can_relabel
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_cron_can_relabel # promote to variable
  set_fact:
    var_cron_can_relabel: false
  tags:
    - always

- name: Set SELinux boolean cron_can_relabel accordingly
  seboolean:
    name: cron_can_relabel
    state: "{{ var_cron_can_relabel }}"
    persistent: yes
  tags:
    - sebool_cron_can_relabel
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the cron_system_cronjob_use_shares SELinux Boolean   [ref]rule

By default, the SELinux boolean cron_system_cronjob_use_shares is disabled. If this setting is enabled, it should be disabled. To disable the cron_system_cronjob_use_shares SELinux boolean, run the following command:

$ sudo setsebool -P cron_system_cronjob_use_shares off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_cron_system_cronjob_use_shares="false"

setsebool -P cron_system_cronjob_use_shares var_cron_system_cronjob_use_shares
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_cron_system_cronjob_use_shares # promote to variable
  set_fact:
    var_cron_system_cronjob_use_shares: false
  tags:
    - always

- name: Set SELinux boolean cron_system_cronjob_use_shares accordingly
  seboolean:
    name: cron_system_cronjob_use_shares
    state: "{{ var_cron_system_cronjob_use_shares }}"
    persistent: yes
  tags:
    - sebool_cron_system_cronjob_use_shares
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the cron_userdomain_transition SELinux Boolean   [ref]rule

By default, the SELinux boolean cron_userdomain_transition is enabled. This setting should be enabled as end user cron jobs run in their default associated user domain(s) instead of the general cronjob domain. To enable the cron_userdomain_transition SELinux boolean, run the following command:

$ sudo setsebool -P cron_userdomain_transition on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_cron_userdomain_transition="true"

setsebool -P cron_userdomain_transition var_cron_userdomain_transition
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_cron_userdomain_transition # promote to variable
  set_fact:
    var_cron_userdomain_transition: true
  tags:
    - always

- name: Set SELinux boolean cron_userdomain_transition accordingly
  seboolean:
    name: cron_userdomain_transition
    state: "{{ var_cron_userdomain_transition }}"
    persistent: yes
  tags:
    - sebool_cron_userdomain_transition
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the daemons_dump_core SELinux Boolean   [ref]rule

By default, the SELinux boolean daemons_dump_core is disabled. If this setting is enabled, it should be disabled. To disable the daemons_dump_core SELinux boolean, run the following command:

$ sudo setsebool -P daemons_dump_core off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_daemons_dump_core="false"

setsebool -P daemons_dump_core var_daemons_dump_core
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_daemons_dump_core # promote to variable
  set_fact:
    var_daemons_dump_core: false
  tags:
    - always

- name: Set SELinux boolean daemons_dump_core accordingly
  seboolean:
    name: daemons_dump_core
    state: "{{ var_daemons_dump_core }}"
    persistent: yes
  tags:
    - sebool_daemons_dump_core
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the daemons_use_tcp_wrapper SELinux Boolean   [ref]rule

By default, the SELinux boolean daemons_use_tcp_wrapper is disabled. If this setting is enabled, it should be disabled. To disable the daemons_use_tcp_wrapper SELinux boolean, run the following command:

$ sudo setsebool -P daemons_use_tcp_wrapper off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_daemons_use_tcp_wrapper="false"

setsebool -P daemons_use_tcp_wrapper var_daemons_use_tcp_wrapper
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_daemons_use_tcp_wrapper # promote to variable
  set_fact:
    var_daemons_use_tcp_wrapper: false
  tags:
    - always

- name: Set SELinux boolean daemons_use_tcp_wrapper accordingly
  seboolean:
    name: daemons_use_tcp_wrapper
    state: "{{ var_daemons_use_tcp_wrapper }}"
    persistent: yes
  tags:
    - sebool_daemons_use_tcp_wrapper
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the daemons_use_tty SELinux Boolean   [ref]rule

By default, the SELinux boolean daemons_use_tty is disabled. If this setting is enabled, it should be disabled. To disable the daemons_use_tty SELinux boolean, run the following command:

$ sudo setsebool -P daemons_use_tty off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_daemons_use_tty="false"

setsebool -P daemons_use_tty var_daemons_use_tty
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_daemons_use_tty # promote to variable
  set_fact:
    var_daemons_use_tty: false
  tags:
    - always

- name: Set SELinux boolean daemons_use_tty accordingly
  seboolean:
    name: daemons_use_tty
    state: "{{ var_daemons_use_tty }}"
    persistent: yes
  tags:
    - sebool_daemons_use_tty
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the deny_execmem SELinux Boolean   [ref]rule

By default, the SELinux boolean deny_execmem is disabled. If this setting is enabled, it should be disabled. To disable the deny_execmem SELinux boolean, run the following command:

$ sudo setsebool -P deny_execmem off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_deny_execmem="false"

setsebool -P deny_execmem var_deny_execmem
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_deny_execmem # promote to variable
  set_fact:
    var_deny_execmem: false
  tags:
    - always

- name: Set SELinux boolean deny_execmem accordingly
  seboolean:
    name: deny_execmem
    state: "{{ var_deny_execmem }}"
    persistent: yes
  tags:
    - sebool_deny_execmem
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the deny_ptrace SELinux Boolean   [ref]rule

By default, the SELinux boolean deny_ptrace is disabled. If this setting is enabled, it should be disabled. To disable the deny_ptrace SELinux boolean, run the following command:

$ sudo setsebool -P deny_ptrace off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_deny_ptrace="false"

setsebool -P deny_ptrace var_deny_ptrace
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_deny_ptrace # promote to variable
  set_fact:
    var_deny_ptrace: false
  tags:
    - always

- name: Set SELinux boolean deny_ptrace accordingly
  seboolean:
    name: deny_ptrace
    state: "{{ var_deny_ptrace }}"
    persistent: yes
  tags:
    - sebool_deny_ptrace
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the domain_fd_use SELinux Boolean   [ref]rule

By default, the SELinux boolean domain_fd_use is enabled. If this setting is disabled, it should be enabled. To enable the domain_fd_use SELinux boolean, run the following command:

$ sudo setsebool -P domain_fd_use on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_domain_fd_use="true"

setsebool -P domain_fd_use var_domain_fd_use
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_domain_fd_use # promote to variable
  set_fact:
    var_domain_fd_use: true
  tags:
    - always

- name: Set SELinux boolean domain_fd_use accordingly
  seboolean:
    name: domain_fd_use
    state: "{{ var_domain_fd_use }}"
    persistent: yes
  tags:
    - sebool_domain_fd_use
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the domain_kernel_load_modules SELinux Boolean   [ref]rule

By default, the SELinux boolean domain_kernel_load_modules is disabled. If this setting is enabled, it should be disabled. To disable the domain_kernel_load_modules SELinux boolean, run the following command:

$ sudo setsebool -P domain_kernel_load_modules off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_domain_kernel_load_modules="false"

setsebool -P domain_kernel_load_modules var_domain_kernel_load_modules
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_domain_kernel_load_modules # promote to variable
  set_fact:
    var_domain_kernel_load_modules: false
  tags:
    - always

- name: Set SELinux boolean domain_kernel_load_modules accordingly
  seboolean:
    name: domain_kernel_load_modules
    state: "{{ var_domain_kernel_load_modules }}"
    persistent: yes
  tags:
    - sebool_domain_kernel_load_modules
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the fips_mode SELinux Boolean   [ref]rule

By default, the SELinux boolean fips_mode is enabled. This allows all SELinux domains to execute in fips_mode. If this setting is disabled, it should be enabled. To enable the fips_mode SELinux boolean, run the following command:

$ sudo setsebool -P fips_mode on

Rationale:

Severity:  medium

Identifiers:  CCE-80418-7

References:  RHEL-07-TBD, SC-13, NaN, TBD, 3.13.11

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_fips_mode="true"

setsebool -P fips_mode var_fips_mode
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_fips_mode # promote to variable
  set_fact:
    var_fips_mode: true
  tags:
    - always

- name: Set SELinux boolean fips_mode accordingly
  seboolean:
    name: fips_mode
    state: "{{ var_fips_mode }}"
    persistent: yes
  tags:
    - sebool_fips_mode
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-80418-7
    - NIST-800-53-SC-13
    - NIST-800-171-3.13.11
    - DISA-STIG-RHEL-07-TBD

Disable the gpg_web_anon_write SELinux Boolean   [ref]rule

By default, the SELinux boolean gpg_web_anon_write is disabled. If this setting is enabled, it should be disabled. To disable the gpg_web_anon_write SELinux boolean, run the following command:

$ sudo setsebool -P gpg_web_anon_write off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_gpg_web_anon_write="false"

setsebool -P gpg_web_anon_write var_gpg_web_anon_write
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_gpg_web_anon_write # promote to variable
  set_fact:
    var_gpg_web_anon_write: false
  tags:
    - always

- name: Set SELinux boolean gpg_web_anon_write accordingly
  seboolean:
    name: gpg_web_anon_write
    state: "{{ var_gpg_web_anon_write }}"
    persistent: yes
  tags:
    - sebool_gpg_web_anon_write
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the guest_exec_content SELinux Boolean   [ref]rule

By default, the SELinux boolean guest_exec_content is enabled. This setting should be disabled as no guest accounts should be used. To enable the guest_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P guest_exec_content on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_guest_exec_content="true"

setsebool -P guest_exec_content var_guest_exec_content
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_guest_exec_content # promote to variable
  set_fact:
    var_guest_exec_content: true
  tags:
    - always

- name: Set SELinux boolean guest_exec_content accordingly
  seboolean:
    name: guest_exec_content
    state: "{{ var_guest_exec_content }}"
    persistent: yes
  tags:
    - sebool_guest_exec_content
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the kerberos_enabled SELinux Boolean   [ref]rule

By default, the SELinux boolean kerberos_enabled is enabled. If this setting is disabled, it should be enabled to allow confined applications to run with Kerberos. To enable the kerberos_enabled SELinux boolean, run the following command:

$ sudo setsebool -P kerberos_enabled on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_kerberos_enabled="true"

setsebool -P kerberos_enabled var_kerberos_enabled
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_kerberos_enabled # promote to variable
  set_fact:
    var_kerberos_enabled: true
  tags:
    - always

- name: Set SELinux boolean kerberos_enabled accordingly
  seboolean:
    name: kerberos_enabled
    state: "{{ var_kerberos_enabled }}"
    persistent: yes
  tags:
    - sebool_kerberos_enabled
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the logadm_exec_content SELinux Boolean   [ref]rule

By default, the SELinux boolean logadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the logadm_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P logadm_exec_content on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_logadm_exec_content="true"

setsebool -P logadm_exec_content var_logadm_exec_content
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_logadm_exec_content # promote to variable
  set_fact:
    var_logadm_exec_content: true
  tags:
    - always

- name: Set SELinux boolean logadm_exec_content accordingly
  seboolean:
    name: logadm_exec_content
    state: "{{ var_logadm_exec_content }}"
    persistent: yes
  tags:
    - sebool_logadm_exec_content
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the logging_syslogd_can_sendmail SELinux Boolean   [ref]rule

By default, the SELinux boolean logging_syslogd_can_sendmail is disabled. If this setting is enabled, it should be disabled. To disable the logging_syslogd_can_sendmail SELinux boolean, run the following command:

$ sudo setsebool -P logging_syslogd_can_sendmail off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_logging_syslogd_can_sendmail="false"

setsebool -P logging_syslogd_can_sendmail var_logging_syslogd_can_sendmail
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_logging_syslogd_can_sendmail # promote to variable
  set_fact:
    var_logging_syslogd_can_sendmail: false
  tags:
    - always

- name: Set SELinux boolean logging_syslogd_can_sendmail accordingly
  seboolean:
    name: logging_syslogd_can_sendmail
    state: "{{ var_logging_syslogd_can_sendmail }}"
    persistent: yes
  tags:
    - sebool_logging_syslogd_can_sendmail
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the logging_syslogd_use_tty SELinux Boolean   [ref]rule

By default, the SELinux boolean logging_syslogd_use_tty is enabled. If this setting is disabled, it should be enabled as it allows syslog the ability to read/write to terminal. To enable the logging_syslogd_use_tty SELinux boolean, run the following command:

$ sudo setsebool -P logging_syslogd_use_tty on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_logging_syslogd_use_tty="true"

setsebool -P logging_syslogd_use_tty var_logging_syslogd_use_tty
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_logging_syslogd_use_tty # promote to variable
  set_fact:
    var_logging_syslogd_use_tty: true
  tags:
    - always

- name: Set SELinux boolean logging_syslogd_use_tty accordingly
  seboolean:
    name: logging_syslogd_use_tty
    state: "{{ var_logging_syslogd_use_tty }}"
    persistent: yes
  tags:
    - sebool_logging_syslogd_use_tty
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the mmap_low_allowed SELinux Boolean   [ref]rule

By default, the SELinux boolean mmap_low_allowed is disabled. If this setting is enabled, it should be disabled. To disable the mmap_low_allowed SELinux boolean, run the following command:

$ sudo setsebool -P mmap_low_allowed off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_mmap_low_allowed="false"

setsebool -P mmap_low_allowed var_mmap_low_allowed
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_mmap_low_allowed # promote to variable
  set_fact:
    var_mmap_low_allowed: false
  tags:
    - always

- name: Set SELinux boolean mmap_low_allowed accordingly
  seboolean:
    name: mmap_low_allowed
    state: "{{ var_mmap_low_allowed }}"
    persistent: yes
  tags:
    - sebool_mmap_low_allowed
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the mock_enable_homedirs SELinux Boolean   [ref]rule

By default, the SELinux boolean mock_enable_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the mock_enable_homedirs SELinux boolean, run the following command:

$ sudo setsebool -P mock_enable_homedirs off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_mock_enable_homedirs="false"

setsebool -P mock_enable_homedirs var_mock_enable_homedirs
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_mock_enable_homedirs # promote to variable
  set_fact:
    var_mock_enable_homedirs: false
  tags:
    - always

- name: Set SELinux boolean mock_enable_homedirs accordingly
  seboolean:
    name: mock_enable_homedirs
    state: "{{ var_mock_enable_homedirs }}"
    persistent: yes
  tags:
    - sebool_mock_enable_homedirs
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the mount_anyfile SELinux Boolean   [ref]rule

By default, the SELinux boolean mount_anyfile is enabled. If this setting is disabled, it should be enabled to allow any file or directory to be mounted. To enable the mount_anyfile SELinux boolean, run the following command:

$ sudo setsebool -P mount_anyfile on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_mount_anyfile="true"

setsebool -P mount_anyfile var_mount_anyfile
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_mount_anyfile # promote to variable
  set_fact:
    var_mount_anyfile: true
  tags:
    - always

- name: Set SELinux boolean mount_anyfile accordingly
  seboolean:
    name: mount_anyfile
    state: "{{ var_mount_anyfile }}"
    persistent: yes
  tags:
    - sebool_mount_anyfile
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the polyinstantiation_enabled SELinux Boolean   [ref]rule

By default, the SELinux boolean polyinstantiation_enabled is disabled. If this setting is enabled, it should be disabled. To disable the polyinstantiation_enabled SELinux boolean, run the following command:

$ sudo setsebool -P polyinstantiation_enabled off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_polyinstantiation_enabled="false"

setsebool -P polyinstantiation_enabled var_polyinstantiation_enabled
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_polyinstantiation_enabled # promote to variable
  set_fact:
    var_polyinstantiation_enabled: false
  tags:
    - always

- name: Set SELinux boolean polyinstantiation_enabled accordingly
  seboolean:
    name: polyinstantiation_enabled
    state: "{{ var_polyinstantiation_enabled }}"
    persistent: yes
  tags:
    - sebool_polyinstantiation_enabled
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the secadm_exec_content SELinux Boolean   [ref]rule

By default, the SELinux boolean secadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the secadm_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P secadm_exec_content on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_secadm_exec_content="true"

setsebool -P secadm_exec_content var_secadm_exec_content
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_secadm_exec_content # promote to variable
  set_fact:
    var_secadm_exec_content: true
  tags:
    - always

- name: Set SELinux boolean secadm_exec_content accordingly
  seboolean:
    name: secadm_exec_content
    state: "{{ var_secadm_exec_content }}"
    persistent: yes
  tags:
    - sebool_secadm_exec_content
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the secure_mode_insmod SELinux Boolean   [ref]rule

By default, the SELinux boolean secure_mode_insmod is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode_insmod SELinux boolean, run the following command:

$ sudo setsebool -P secure_mode_insmod off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_secure_mode_insmod="false"

setsebool -P secure_mode_insmod var_secure_mode_insmod
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_secure_mode_insmod # promote to variable
  set_fact:
    var_secure_mode_insmod: false
  tags:
    - always

- name: Set SELinux boolean secure_mode_insmod accordingly
  seboolean:
    name: secure_mode_insmod
    state: "{{ var_secure_mode_insmod }}"
    persistent: yes
  tags:
    - sebool_secure_mode_insmod
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the secure_mode SELinux Boolean   [ref]rule

By default, the SELinux boolean secure_mode is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode SELinux boolean, run the following command:

$ sudo setsebool -P secure_mode off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_secure_mode="false"

setsebool -P secure_mode var_secure_mode
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_secure_mode # promote to variable
  set_fact:
    var_secure_mode: false
  tags:
    - always

- name: Set SELinux boolean secure_mode accordingly
  seboolean:
    name: secure_mode
    state: "{{ var_secure_mode }}"
    persistent: yes
  tags:
    - sebool_secure_mode
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the secure_mode_policyload SELinux Boolean   [ref]rule

By default, the SELinux boolean secure_mode_policyload is disabled. If this setting is enabled, it should be disabled. To disable the secure_mode_policyload SELinux boolean, run the following command:

$ sudo setsebool -P secure_mode_policyload off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_secure_mode_policyload="false"

setsebool -P secure_mode_policyload var_secure_mode_policyload
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_secure_mode_policyload # promote to variable
  set_fact:
    var_secure_mode_policyload: false
  tags:
    - always

- name: Set SELinux boolean secure_mode_policyload accordingly
  seboolean:
    name: secure_mode_policyload
    state: "{{ var_secure_mode_policyload }}"
    persistent: yes
  tags:
    - sebool_secure_mode_policyload
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Configure the selinuxuser_direct_dri_enabled SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_direct_dri_enabled is enabled. If XWindows is not installed or used on the system, this setting should be disabled. Otherwise, enable it. To disable the selinuxuser_direct_dri_enabled SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_direct_dri_enabled off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_direct_dri_enabled="true"

setsebool -P selinuxuser_direct_dri_enabled var_selinuxuser_direct_dri_enabled
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_direct_dri_enabled # promote to variable
  set_fact:
    var_selinuxuser_direct_dri_enabled: true
  tags:
    - always

- name: Set SELinux boolean selinuxuser_direct_dri_enabled accordingly
  seboolean:
    name: selinuxuser_direct_dri_enabled
    state: "{{ var_selinuxuser_direct_dri_enabled }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_direct_dri_enabled
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the selinuxuser_execheap SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_execheap is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_execheap SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_execheap off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_execheap="false"

setsebool -P selinuxuser_execheap var_selinuxuser_execheap
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_execheap # promote to variable
  set_fact:
    var_selinuxuser_execheap: false
  tags:
    - always

- name: Set SELinux boolean selinuxuser_execheap accordingly
  seboolean:
    name: selinuxuser_execheap
    state: "{{ var_selinuxuser_execheap }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_execheap
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the selinuxuser_execmod SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_execmod is enabled. If this setting is disabled, it should be enabled. To enable the selinuxuser_execmod SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_execmod on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_execmod="true"

setsebool -P selinuxuser_execmod var_selinuxuser_execmod
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_execmod # promote to variable
  set_fact:
    var_selinuxuser_execmod: true
  tags:
    - always

- name: Set SELinux boolean selinuxuser_execmod accordingly
  seboolean:
    name: selinuxuser_execmod
    state: "{{ var_selinuxuser_execmod }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_execmod
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

disable the selinuxuser_execstack SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_execstack is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. To disable the selinuxuser_execstack SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_execstack off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_execstack="true"

setsebool -P selinuxuser_execstack var_selinuxuser_execstack
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_execstack # promote to variable
  set_fact:
    var_selinuxuser_execstack: true
  tags:
    - always

- name: Set SELinux boolean selinuxuser_execstack accordingly
  seboolean:
    name: selinuxuser_execstack
    state: "{{ var_selinuxuser_execstack }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_execstack
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the selinuxuser_mysql_connect_enabled SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_mysql_connect_enabled is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_mysql_connect_enabled SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_mysql_connect_enabled off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_mysql_connect_enabled="false"

setsebool -P selinuxuser_mysql_connect_enabled var_selinuxuser_mysql_connect_enabled
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_mysql_connect_enabled # promote to variable
  set_fact:
    var_selinuxuser_mysql_connect_enabled: false
  tags:
    - always

- name: Set SELinux boolean selinuxuser_mysql_connect_enabled accordingly
  seboolean:
    name: selinuxuser_mysql_connect_enabled
    state: "{{ var_selinuxuser_mysql_connect_enabled }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_mysql_connect_enabled
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the selinuxuser_ping SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_ping is enabled. If this setting is disabled, it should be enabled as it allows confined users to use ping and traceroute which is helpful for network troubleshooting. To enable the selinuxuser_ping SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_ping on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_ping="true"

setsebool -P selinuxuser_ping var_selinuxuser_ping
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_ping # promote to variable
  set_fact:
    var_selinuxuser_ping: true
  tags:
    - always

- name: Set SELinux boolean selinuxuser_ping accordingly
  seboolean:
    name: selinuxuser_ping
    state: "{{ var_selinuxuser_ping }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_ping
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_postgresql_connect_enabled is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_postgresql_connect_enabled SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_postgresql_connect_enabled off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_postgresql_connect_enabled="false"

setsebool -P selinuxuser_postgresql_connect_enabled var_selinuxuser_postgresql_connect_enabled
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_postgresql_connect_enabled # promote to variable
  set_fact:
    var_selinuxuser_postgresql_connect_enabled: false
  tags:
    - always

- name: Set SELinux boolean selinuxuser_postgresql_connect_enabled accordingly
  seboolean:
    name: selinuxuser_postgresql_connect_enabled
    state: "{{ var_selinuxuser_postgresql_connect_enabled }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_postgresql_connect_enabled
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the selinuxuser_rw_noexattrfile SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_rw_noexattrfile is enabled. This setting should be disabled as users should not be able to read/write files on filesystems that do not have extended attributes e.g. FAT, CDROM, FLOPPY, etc. To disable the selinuxuser_rw_noexattrfile SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_rw_noexattrfile off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_rw_noexattrfile="true"

setsebool -P selinuxuser_rw_noexattrfile var_selinuxuser_rw_noexattrfile
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_rw_noexattrfile # promote to variable
  set_fact:
    var_selinuxuser_rw_noexattrfile: true
  tags:
    - always

- name: Set SELinux boolean selinuxuser_rw_noexattrfile accordingly
  seboolean:
    name: selinuxuser_rw_noexattrfile
    state: "{{ var_selinuxuser_rw_noexattrfile }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_rw_noexattrfile
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the selinuxuser_share_music SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_share_music is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_share_music SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_share_music off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_share_music="false"

setsebool -P selinuxuser_share_music var_selinuxuser_share_music
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_share_music # promote to variable
  set_fact:
    var_selinuxuser_share_music: false
  tags:
    - always

- name: Set SELinux boolean selinuxuser_share_music accordingly
  seboolean:
    name: selinuxuser_share_music
    state: "{{ var_selinuxuser_share_music }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_share_music
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the selinuxuser_tcp_server SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_tcp_server is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_tcp_server SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_tcp_server off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_tcp_server="false"

setsebool -P selinuxuser_tcp_server var_selinuxuser_tcp_server
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_tcp_server # promote to variable
  set_fact:
    var_selinuxuser_tcp_server: false
  tags:
    - always

- name: Set SELinux boolean selinuxuser_tcp_server accordingly
  seboolean:
    name: selinuxuser_tcp_server
    state: "{{ var_selinuxuser_tcp_server }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_tcp_server
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the selinuxuser_udp_server SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_udp_server is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_udp_server SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_udp_server off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_udp_server="false"

setsebool -P selinuxuser_udp_server var_selinuxuser_udp_server
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_udp_server # promote to variable
  set_fact:
    var_selinuxuser_udp_server: false
  tags:
    - always

- name: Set SELinux boolean selinuxuser_udp_server accordingly
  seboolean:
    name: selinuxuser_udp_server
    state: "{{ var_selinuxuser_udp_server }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_udp_server
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the selinuxuser_use_ssh_chroot SELinux Boolean   [ref]rule

By default, the SELinux boolean selinuxuser_use_ssh_chroot is disabled. If this setting is enabled, it should be disabled. To disable the selinuxuser_use_ssh_chroot SELinux boolean, run the following command:

$ sudo setsebool -P selinuxuser_use_ssh_chroot off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_selinuxuser_use_ssh_chroot="false"

setsebool -P selinuxuser_use_ssh_chroot var_selinuxuser_use_ssh_chroot
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_selinuxuser_use_ssh_chroot # promote to variable
  set_fact:
    var_selinuxuser_use_ssh_chroot: false
  tags:
    - always

- name: Set SELinux boolean selinuxuser_use_ssh_chroot accordingly
  seboolean:
    name: selinuxuser_use_ssh_chroot
    state: "{{ var_selinuxuser_use_ssh_chroot }}"
    persistent: yes
  tags:
    - sebool_selinuxuser_use_ssh_chroot
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the ssh_chroot_rw_homedirs SELinux Boolean   [ref]rule

By default, the SELinux boolean ssh_chroot_rw_homedirs is disabled. If this setting is enabled, it should be disabled. To disable the ssh_chroot_rw_homedirs SELinux boolean, run the following command:

$ sudo setsebool -P ssh_chroot_rw_homedirs off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_ssh_chroot_rw_homedirs="false"

setsebool -P ssh_chroot_rw_homedirs var_ssh_chroot_rw_homedirs
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_ssh_chroot_rw_homedirs # promote to variable
  set_fact:
    var_ssh_chroot_rw_homedirs: false
  tags:
    - always

- name: Set SELinux boolean ssh_chroot_rw_homedirs accordingly
  seboolean:
    name: ssh_chroot_rw_homedirs
    state: "{{ var_ssh_chroot_rw_homedirs }}"
    persistent: yes
  tags:
    - sebool_ssh_chroot_rw_homedirs
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the ssh_keysign SELinux Boolean   [ref]rule

By default, the SELinux boolean ssh_keysign is disabled. If this setting is enabled, it should be disabled. To disable the ssh_keysign SELinux boolean, run the following command:

$ sudo setsebool -P ssh_keysign off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_ssh_keysign="false"

setsebool -P ssh_keysign var_ssh_keysign
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_ssh_keysign # promote to variable
  set_fact:
    var_ssh_keysign: false
  tags:
    - always

- name: Set SELinux boolean ssh_keysign accordingly
  seboolean:
    name: ssh_keysign
    state: "{{ var_ssh_keysign }}"
    persistent: yes
  tags:
    - sebool_ssh_keysign
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the staff_exec_content SELinux Boolean   [ref]rule

By default, the SELinux boolean staff_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the staff_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P staff_exec_content on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_staff_exec_content="true"

setsebool -P staff_exec_content var_staff_exec_content
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_staff_exec_content # promote to variable
  set_fact:
    var_staff_exec_content: true
  tags:
    - always

- name: Set SELinux boolean staff_exec_content accordingly
  seboolean:
    name: staff_exec_content
    state: "{{ var_staff_exec_content }}"
    persistent: yes
  tags:
    - sebool_staff_exec_content
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the sysadm_exec_content SELinux Boolean   [ref]rule

By default, the SELinux boolean sysadm_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the sysadm_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P sysadm_exec_content on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_sysadm_exec_content="true"

setsebool -P sysadm_exec_content var_sysadm_exec_content
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_sysadm_exec_content # promote to variable
  set_fact:
    var_sysadm_exec_content: true
  tags:
    - always

- name: Set SELinux boolean sysadm_exec_content accordingly
  seboolean:
    name: sysadm_exec_content
    state: "{{ var_sysadm_exec_content }}"
    persistent: yes
  tags:
    - sebool_sysadm_exec_content
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the use_ecryptfs_home_dirs SELinux Boolean   [ref]rule

By default, the SELinux boolean use_ecryptfs_home_dirs is disabled. If this setting is enabled, it should be disabled. To disable the use_ecryptfs_home_dirs SELinux boolean, run the following command:

$ sudo setsebool -P use_ecryptfs_home_dirs off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_use_ecryptfs_home_dirs="false"

setsebool -P use_ecryptfs_home_dirs var_use_ecryptfs_home_dirs
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_use_ecryptfs_home_dirs # promote to variable
  set_fact:
    var_use_ecryptfs_home_dirs: false
  tags:
    - always

- name: Set SELinux boolean use_ecryptfs_home_dirs accordingly
  seboolean:
    name: use_ecryptfs_home_dirs
    state: "{{ var_use_ecryptfs_home_dirs }}"
    persistent: yes
  tags:
    - sebool_use_ecryptfs_home_dirs
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Enable the user_exec_content SELinux Boolean   [ref]rule

By default, the SELinux boolean user_exec_content is enabled. If this setting is disabled, it should be enabled. To enable the user_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P user_exec_content on

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_user_exec_content="true"

setsebool -P user_exec_content var_user_exec_content
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_user_exec_content # promote to variable
  set_fact:
    var_user_exec_content: true
  tags:
    - always

- name: Set SELinux boolean user_exec_content accordingly
  seboolean:
    name: user_exec_content
    state: "{{ var_user_exec_content }}"
    persistent: yes
  tags:
    - sebool_user_exec_content
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the xdm_bind_vnc_tcp_port SELinux Boolean   [ref]rule

By default, the SELinux boolean xdm_bind_vnc_tcp_port is disabled. If this setting is enabled, it should be disabled. To disable the xdm_bind_vnc_tcp_port SELinux boolean, run the following command:

$ sudo setsebool -P xdm_bind_vnc_tcp_port off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_xdm_bind_vnc_tcp_port="false"

setsebool -P xdm_bind_vnc_tcp_port var_xdm_bind_vnc_tcp_port
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_xdm_bind_vnc_tcp_port # promote to variable
  set_fact:
    var_xdm_bind_vnc_tcp_port: false
  tags:
    - always

- name: Set SELinux boolean xdm_bind_vnc_tcp_port accordingly
  seboolean:
    name: xdm_bind_vnc_tcp_port
    state: "{{ var_xdm_bind_vnc_tcp_port }}"
    persistent: yes
  tags:
    - sebool_xdm_bind_vnc_tcp_port
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the xdm_exec_bootloader SELinux Boolean   [ref]rule

By default, the SELinux boolean xdm_exec_bootloader is disabled. If this setting is enabled, it should be disabled. To disable the xdm_exec_bootloader SELinux boolean, run the following command:

$ sudo setsebool -P xdm_exec_bootloader off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_xdm_exec_bootloader="false"

setsebool -P xdm_exec_bootloader var_xdm_exec_bootloader
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_xdm_exec_bootloader # promote to variable
  set_fact:
    var_xdm_exec_bootloader: false
  tags:
    - always

- name: Set SELinux boolean xdm_exec_bootloader accordingly
  seboolean:
    name: xdm_exec_bootloader
    state: "{{ var_xdm_exec_bootloader }}"
    persistent: yes
  tags:
    - sebool_xdm_exec_bootloader
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the xdm_write_home SELinux Boolean   [ref]rule

By default, the SELinux boolean xdm_write_home is disabled. If this setting is enabled, it should be disabled. To disable the xdm_write_home SELinux boolean, run the following command:

$ sudo setsebool -P xdm_write_home off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_xdm_write_home="false"

setsebool -P xdm_write_home var_xdm_write_home
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_xdm_write_home # promote to variable
  set_fact:
    var_xdm_write_home: false
  tags:
    - always

- name: Set SELinux boolean xdm_write_home accordingly
  seboolean:
    name: xdm_write_home
    state: "{{ var_xdm_write_home }}"
    persistent: yes
  tags:
    - sebool_xdm_write_home
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the xguest_connect_network SELinux Boolean   [ref]rule

By default, the SELinux boolean xguest_connect_network is enabled. This setting should be disabled as guest users should not be able to configure NetworkManager. To disable the xguest_connect_network SELinux boolean, run the following command:

$ sudo setsebool -P xguest_connect_network off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_xguest_connect_network="true"

setsebool -P xguest_connect_network var_xguest_connect_network
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_xguest_connect_network # promote to variable
  set_fact:
    var_xguest_connect_network: true
  tags:
    - always

- name: Set SELinux boolean xguest_connect_network accordingly
  seboolean:
    name: xguest_connect_network
    state: "{{ var_xguest_connect_network }}"
    persistent: yes
  tags:
    - sebool_xguest_connect_network
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the xguest_exec_content SELinux Boolean   [ref]rule

By default, the SELinux boolean xguest_exec_content is enabled. This setting should be disabled as guest users should not be able to run executables. To disable the xguest_exec_content SELinux boolean, run the following command:

$ sudo setsebool -P xguest_exec_content off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_xguest_exec_content="true"

setsebool -P xguest_exec_content var_xguest_exec_content
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_xguest_exec_content # promote to variable
  set_fact:
    var_xguest_exec_content: true
  tags:
    - always

- name: Set SELinux boolean xguest_exec_content accordingly
  seboolean:
    name: xguest_exec_content
    state: "{{ var_xguest_exec_content }}"
    persistent: yes
  tags:
    - sebool_xguest_exec_content
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the xguest_mount_media SELinux Boolean   [ref]rule

By default, the SELinux boolean xguest_mount_media is enabled. This setting should be disabled as guest users should not be able to mount any media. To disable the xguest_mount_media SELinux boolean, run the following command:

$ sudo setsebool -P xguest_mount_media off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_xguest_mount_media="true"

setsebool -P xguest_mount_media var_xguest_mount_media
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_xguest_mount_media # promote to variable
  set_fact:
    var_xguest_mount_media: true
  tags:
    - always

- name: Set SELinux boolean xguest_mount_media accordingly
  seboolean:
    name: xguest_mount_media
    state: "{{ var_xguest_mount_media }}"
    persistent: yes
  tags:
    - sebool_xguest_mount_media
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the xguest_use_bluetooth SELinux Boolean   [ref]rule

By default, the SELinux boolean xguest_use_bluetooth is enabled. This setting should be disabled as guests users should not be able to access or use bluetooth. To disable the xguest_use_bluetooth SELinux boolean, run the following command:

$ sudo setsebool -P xguest_use_bluetooth off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_xguest_use_bluetooth="true"

setsebool -P xguest_use_bluetooth var_xguest_use_bluetooth
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_xguest_use_bluetooth # promote to variable
  set_fact:
    var_xguest_use_bluetooth: true
  tags:
    - always

- name: Set SELinux boolean xguest_use_bluetooth accordingly
  seboolean:
    name: xguest_use_bluetooth
    state: "{{ var_xguest_use_bluetooth }}"
    persistent: yes
  tags:
    - sebool_xguest_use_bluetooth
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the xserver_clients_write_xshm SELinux Boolean   [ref]rule

By default, the SELinux boolean xserver_clients_write_xshm is disabled. If this setting is enabled, it should be disabled. To disable the xserver_clients_write_xshm SELinux boolean, run the following command:

$ sudo setsebool -P xserver_clients_write_xshm off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_xserver_clients_write_xshm="false"

setsebool -P xserver_clients_write_xshm var_xserver_clients_write_xshm
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_xserver_clients_write_xshm # promote to variable
  set_fact:
    var_xserver_clients_write_xshm: false
  tags:
    - always

- name: Set SELinux boolean xserver_clients_write_xshm accordingly
  seboolean:
    name: xserver_clients_write_xshm
    state: "{{ var_xserver_clients_write_xshm }}"
    persistent: yes
  tags:
    - sebool_xserver_clients_write_xshm
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the xserver_execmem SELinux Boolean   [ref]rule

By default, the SELinux boolean xserver_execmem is disabled. If this setting is enabled, it should be disabled. To disable the xserver_execmem SELinux boolean, run the following command:

$ sudo setsebool -P xserver_execmem off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_xserver_execmem="false"

setsebool -P xserver_execmem var_xserver_execmem
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_xserver_execmem # promote to variable
  set_fact:
    var_xserver_execmem: false
  tags:
    - always

- name: Set SELinux boolean xserver_execmem accordingly
  seboolean:
    name: xserver_execmem
    state: "{{ var_xserver_execmem }}"
    persistent: yes
  tags:
    - sebool_xserver_execmem
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Disable the xserver_object_manager SELinux Boolean   [ref]rule

By default, the SELinux boolean xserver_object_manager is disabled. If this setting is enabled, it should be disabled. To disable the xserver_object_manager SELinux boolean, run the following command:

$ sudo setsebool -P xserver_object_manager off

Rationale:

Severity:  medium

Identifiers:  CCE-RHEL7-CCE-TBD

References:  RHEL-07-TBD, TBD, NaN, TBD

Remediation Shell script:   (show)

Complexity:low
Disruption:low
Strategy:enable

var_xserver_object_manager="false"

setsebool -P xserver_object_manager var_xserver_object_manager
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: XCCDF Value var_xserver_object_manager # promote to variable
  set_fact:
    var_xserver_object_manager: false
  tags:
    - always

- name: Set SELinux boolean xserver_object_manager accordingly
  seboolean:
    name: xserver_object_manager
    state: "{{ var_xserver_object_manager }}"
    persistent: yes
  tags:
    - sebool_xserver_object_manager
    - medium_severity
    - enable_strategy
    - low_complexity
    - low_disruption
    - CCE-RHEL7-CCE-TBD
    - NIST-800-53-TBD
    - DISA-STIG-RHEL-07-TBD

Ensure SELinux Not Disabled in /etc/default/grub   [ref]rule

SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.

Rationale:

Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.

Severity:  medium

Identifiers:  CCE-26961-3

References:  AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), CCI-000022, CCI-000032, 1.6.1.1, 3.1.2, 3.7.2

Remediation Shell script:   (show)

sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/*
sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/*
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure SELinux Not Disabled in /etc/default/grub
  replace:
    dest: /etc/default/grub
    regexp: selinux=0
  tags:
    - enable_selinux_bootloader
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-26961-3
    - NIST-800-53-AC-3
    - NIST-800-53-AC-3(3)
    - NIST-800-53-AC-3(4)
    - NIST-800-53-AC-4
    - NIST-800-53-AC-6
    - NIST-800-53-AU-9
    - NIST-800-53-SI-6(a)
    - NIST-800-171-3.1.2
    - NIST-800-171-3.7.2

Ensure SELinux State is Enforcing   [ref]rule

The SELinux state should be set to enforcing at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:

SELINUX=enforcing

Rationale:

Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.

Severity:  high

Remediation Shell script:   (show)


var_selinux_state="enforcing"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state 'CCE-27334-2' '%s=%s'

fixfiles onboot
fixfiles -f relabel
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_selinux_state # promote to variable
  set_fact:
    var_selinux_state: enforcing
  tags:
    - always

- name: "Ensure SELinux State is Enforcing"
  selinux:
    state: "{{ var_selinux_state }}"
  tags:
    - selinux_state
    - high_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27334-2
    - NIST-800-53-AC-3
    - NIST-800-53-AC-3(3)
    - NIST-800-53-AC-3(4)
    - NIST-800-53-AC-4
    - NIST-800-53-AC-6
    - NIST-800-53-AU-9
    - NIST-800-53-SI-6(a)
    - NIST-800-171-3.1.2
    - NIST-800-171-3.7.2
    - DISA-STIG-RHEL-07-020210

Configure SELinux Policy   [ref]rule

The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:

SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

Rationale:

Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to targeted.

Severity:  high

Remediation Shell script:   (show)


var_selinux_policy_name="targeted"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name 'CCE-27279-9' '%s=%s'
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_selinux_policy_name # promote to variable
  set_fact:
    var_selinux_policy_name: targeted
  tags:
    - always

- name: "Configure SELinux Policy"
  selinux:
    policy: "{{ var_selinux_policy_name }}"
  tags:
    - selinux_policytype
    - high_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27279-9
    - NIST-800-53-AC-3
    - NIST-800-53-AC-3(3)
    - NIST-800-53-AC-3(4)
    - NIST-800-53-AC-4
    - NIST-800-53-AC-6
    - NIST-800-53-AU-9
    - NIST-800-53-SI-6(a)
    - NIST-800-171-3.1.2
    - NIST-800-171-3.7.2
    - DISA-STIG-RHEL-07-020220

Ensure No Daemons are Unconfined by SELinux   [ref]rule

Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the initrc_t context.

To check for unconfined daemons, run the following command:

$ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
It should produce no output in a well-configured system.

Rationale:

Daemons which run with the initrc_t context may cause AVC denials, or allow privileges that the daemon does not require.

Severity:  medium

Identifiers:  CCE-27288-0

References:  AC-6, AU-9, CM-7, 1.6.1.6, 3.1.2, 3.1.5, 3.7.2

Ensure No Device Files are Unlabeled by SELinux   [ref]rule

Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files do not carry the SELinux type device_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it.

To check for unlabeled device files, run the following command:

$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system.

Rationale:

If a device file carries the SELinux type device_t, then SELinux cannot properly restrict access to the device file.

Severity:  medium

Account and Access Control   [ref]group

In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under Red Hat Enterprise Linux 7.

contains 50 rules

Protect Accounts by Restricting Password-Based Login   [ref]group

Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the /etc/passwd and /etc/shadow files. Password-based login is vulnerable to guessing of weak passwords, and to sniffing and man-in-the-middle attacks against passwords entered over a network or at an insecure console. Therefore, mechanisms for accessing accounts by entering usernames and passwords should be restricted to those which are operationally necessary.

contains 12 rules

Restrict Root Logins   [ref]group

Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use su or sudo to execute privileged commands. Discouraging administrators from accessing the root account directly ensures an audit trail in organizations with multiple administrators. Locking down the channels through which root can connect directly also reduces opportunities for password-guessing against the root account. The login program uses the file /etc/securetty to determine which interfaces should allow root logins. The virtual devices /dev/console and /dev/tty* represent the system consoles (accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default installation). The default securetty file also contains /dev/vc/*. These are likely to be deprecated in most environments, but may be retained for compatibility. Root should also be prohibited from connecting via network protocols. Other sections of this document include guidance describing how to prevent root from logging in via SSH.

contains 4 rules

Direct root Logins Not Allowed   [ref]rule

To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enteprise Linux's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command:

$ sudo echo > /etc/securetty

Rationale:

Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.

Severity:  medium

Identifiers:  CCE-27294-8

References:  IA-2(1), 5.5, 3.1.1, 3.1.6

Remediation Shell script:   (show)

echo > /etc/securetty
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: "Direct root Logins Not Allowed"
  shell: echo > /etc/securetty
  tags:
    - no_direct_root_logins
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27294-8
    - NIST-800-53-IA-2(1)
    - NIST-800-171-3.1.1
    - NIST-800-171-3.1.6

Restrict Serial Port Root Logins   [ref]rule

To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty:

ttyS0
ttyS1

Rationale:

Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.

Severity:  low

Identifiers:  CCE-27268-2

References:  AC-6(2), CCI-000770, 3.1.1, 3.1.5

Remediation Shell script:   (show)

sed -i '/ttyS/d' /etc/securetty
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: "Restrict Serial Port Root Logins"
  lineinfile:
    dest: /etc/securetty
    regexp: 'ttyS[0-9]'
    state: absent
  tags:
    - restrict_serial_port_logins
    - low_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27268-2
    - NIST-800-53-AC-6(2)
    - NIST-800-171-3.1.1
    - NIST-800-171-3.1.5

Verify Only Root Has UID 0   [ref]rule

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.

Rationale:

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

Severity:  high

Identifiers:  CCE-27175-9

References:  RHEL-07-020310, AC-6, IA-2(1), IA-4, CCI-000366, SRG-OS-000480-GPOS-00227, 3.1.1, 3.1.5, 6.2.5

Remediation Shell script:   (show)

awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l

Verify Proper Storage and Existence of Password Hashes   [ref]group

By default, password hashes for local accounts are stored in the second field (colon-separated) in /etc/shadow. This file should be readable only by processes running with root credentials, preventing users from casually accessing others' password hashes and attempting to crack them. However, it remains possible to misconfigure the system and store password hashes in world-readable files such as /etc/passwd, or to even store passwords themselves in plaintext on the system. Using system-provided tools for password change/creation should allow administrators to avoid such misconfiguration.

contains 3 rules

Prevent Log In to Accounts With Empty Password   [ref]rule

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

Rationale:

If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Severity:  high

Remediation Shell script:   (show)

sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth
sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/password-auth
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Strategy:configure
- name: "Prevent Log In to Accounts With Empty Password - system-auth"
  replace:
    dest: /etc/pam.d/system-auth
    follow: yes
    regexp: 'nullok'
  tags:
    - no_empty_passwords
    - high_severity
    - configure_strategy
    - low_complexity
    - medium_disruption
    - CCE-27286-4
    - NIST-800-53-AC-6
    - NIST-800-53-IA-5(b)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-171-3.1.1
    - NIST-800-171-3.1.5
    - PCI-DSS-Req-8.2.3
    - CJIS-5.5.2
    - DISA-STIG-RHEL-07-010290

- name: "Prevent Log In to Accounts With Empty Password - password-auth"
  replace:
    dest: /etc/pam.d/password-auth
    follow: yes
    regexp: 'nullok'
  tags:
    - no_empty_passwords
    - high_severity
    - configure_strategy
    - low_complexity
    - medium_disruption
    - CCE-27286-4
    - NIST-800-53-AC-6
    - NIST-800-53-IA-5(b)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-171-3.1.1
    - NIST-800-171-3.1.5
    - PCI-DSS-Req-8.2.3
    - CJIS-5.5.2
    - DISA-STIG-RHEL-07-010290

Verify All Account Password Hashes are Shadowed   [ref]rule

If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

Rationale:

The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users.

Severity:  medium

Identifiers:  CCE-27352-4

References:  IA-5(h), Req-8.2.1, 5.5.2, 3.5.10

All GIDs referenced in /etc/passwd must be defined in /etc/group   [ref]rule

Add a group to the system for each GID referenced without a corresponding group.

Rationale:

If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.

Severity:  low

Identifiers:  CCE-27503-2

References:  RHEL-07-020300, IA-2, CCI-000764, SRG-OS-000104-GPOS-00051, Req-8.5.a, 5.5.2

Set Password Expiration Parameters   [ref]group

The file /etc/login.defs controls several password-related settings. Programs such as passwd, su, and login consult /etc/login.defs to determine behavior with regard to password aging, expiration warnings, and length. See the man page login.defs(5) for more information.

Users should be forced to change their passwords, in order to decrease the utility of compromised passwords. However, the need to change passwords often should be balanced against the risk that users will reuse or write down passwords if forced to change them too often. Forcing password changes every 90-360 days, depending on the environment, is recommended. Set the appropriate value as PASS_MAX_DAYS and apply it to existing accounts with the -M flag.

The PASS_MIN_DAYS (-m) setting prevents password changes for 7 days after the first change, to discourage password cycling. If you use this setting, train users to contact an administrator for an emergency password change in case a new password becomes compromised. The PASS_WARN_AGE (-W) setting gives users 7 days of warnings at login time that their passwords are about to expire.

For example, for each existing human user USER, expiration parameters could be adjusted to a 180 day maximum password age, 7 day minimum password age, and 7 day warning period with the following command:

$ sudo chage -M 180 -m 7 -W 7 USER

contains 4 rules
contains 1 rule

Protect Accounts by Configuring PAM   [ref]group

PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it should be configured to minimize exposure to unnecessary risk. This section contains guidance on how to accomplish that.

PAM is implemented as a set of shared objects which are loaded and invoked whenever an application wishes to authenticate a user. Typically, the application must be running as root in order to take advantage of PAM, because PAM's modules often need to be able to access sensitive stores of account information, such as /etc/shadow. Traditional privileged network listeners (e.g. sshd) or SUID programs (e.g. sudo) already meet this requirement. An SUID root application, userhelper, is provided so that programs which are not SUID or privileged themselves can still take advantage of PAM.

PAM looks in the directory /etc/pam.d for application-specific configuration information. For instance, if the program login attempts to authenticate a user, then PAM's libraries follow the instructions in the file /etc/pam.d/login to determine what actions should be taken.

One very important file in /etc/pam.d is /etc/pam.d/system-auth. This file, which is included by many other PAM configuration files, defines 'default' system authentication measures. Modifying this file is a good way to make far-reaching authentication changes, for instance when implementing a centralized authentication service.

Warning:  Be careful when making changes to PAM's configuration files. The syntax for these files is complex, and modifications can have unexpected consequences. The default configurations shipped with applications should be sufficient for most users.
Warning:  Running authconfig or system-config-authentication will re-write the PAM configuration files, destroying any manually made changes and replacing them with a series of system defaults. One reference to the configuration file syntax can be found at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html .
contains 19 rules

Set Password Quality Requirements   [ref]group

The default pam_pwquality PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. It can also require passwords to be in certain character classes. The pam_pwquality module is the preferred way of configuring password requirements.

The pam_cracklib PAM module can also provide strength checking for passwords as the pam_pwquality module. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. It can also require passwords to be in certain character classes.

The man pages pam_pwquality(8) and pam_cracklib(8) provide information on the capabilities and configuration of each.

contains 10 rules

Set Password Quality Requirements with pam_pwquality   [ref]group

The pam_pwquality PAM module can be configured to meet requirements for a variety of policies.

For example, to configure pam_pwquality to require at least one uppercase character, lowercase character, digit, and other (special) character, make sure that pam_pwquality exists in /etc/pam.d/system-auth:

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. Next, modify the settings in /etc/security/pwquality.conf to match the following:
difok = 4
minlen = 14
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
maxrepeat = 3
The arguments can be modified to ensure compliance with your organization's security policy. Discussion of each parameter follows.

Warning:  Note that the password quality requirements are not enforced for the root account for some reason.
contains 10 rules

Set Password Retry Prompts Permitted Per-Session   [ref]rule

To configure the number of retry prompts that are permitted per-session:

Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to show retry=3, or a lower value if site policy is more restrictive.

The DoD requirement is a maximum of 3 prompts per session.

Rationale:

Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.

Severity:  low

Identifiers:  CCE-27160-1

References:  RHEL-07-010119, CM-6(b), IA-5(c), CCI-000366, 6.3.2, SRG-OS-000480-GPOS-00225, 5.5.3

Remediation Shell script:   (show)


var_password_pam_retry="3"

if grep -q "retry=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth
else
	sed -i --follow-symlinks "/pam_pwquality.so/ s/$/ retry=$var_password_pam_retry/" /etc/pam.d/system-auth
fi

Set Password Maximum Consecutive Repeating Characters   [ref]rule

The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal 2 to prevent a run of (2 + 1) or more identical characters.

Rationale:

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.

Severity:  medium

Identifiers:  CCE-27333-4

References:  RHEL-07-010180, IA-5, IA-5(c), CCI-000195, SRG-OS-000072-GPOS-00040

Remediation Shell script:   (show)


var_password_pam_maxrepeat="2"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/security/pwquality.conf' '^maxrepeat' $var_password_pam_maxrepeat 'CCE-27333-4' '%s = %s'
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_password_pam_maxrepeat # promote to variable
  set_fact:
    var_password_pam_maxrepeat: 2
  tags:
    - always

- name: Ensure PAM variable maxrepeat is set accordingly
  lineinfile:
    create=yes
    dest="/etc/security/pwquality.conf"
    regexp="^maxrepeat"
    line="maxrepeat = {{ var_password_pam_maxrepeat }}"
  tags:
    - accounts_password_pam_maxrepeat
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27333-4
    - NIST-800-53-IA-5
    - NIST-800-53-IA-5(c)
    - DISA-STIG-RHEL-07-010180

Set Password to Maximum of Consecutive Repeating Characters from Same Character Class   [ref]rule

The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal 4 to prevent a run of (4 + 1) or more identical characters.

Rationale:

Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.

Severity:  medium

Identifiers:  CCE-27512-3

References:  RHEL-07-010190, IA-5, IA-5(c), CCI-000195, SRG-OS-000072-GPOS-00040

Remediation Shell script:   (show)


var_password_pam_maxclassrepeat="4"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/security/pwquality.conf' '^maxclassrepeat' $var_password_pam_maxclassrepeat 'CCE-27512-3' '%s = %s'
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_password_pam_maxclassrepeat # promote to variable
  set_fact:
    var_password_pam_maxclassrepeat: 4
  tags:
    - always

- name: Ensure PAM variable maxclassrepeat is set accordingly
  lineinfile:
    create=yes
    dest="/etc/security/pwquality.conf"
    regexp="^maxclassrepeat"
    line="maxclassrepeat = {{ var_password_pam_maxclassrepeat }}"
  tags:
    - accounts_password_pam_maxclassrepeat
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27512-3
    - NIST-800-53-IA-5
    - NIST-800-53-IA-5(c)
    - DISA-STIG-RHEL-07-010190

Set Password Strength Minimum Digit Characters   [ref]rule

The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords.

Rationale:

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

Severity:  medium

Remediation Shell script:   (show)


var_password_pam_dcredit="-1"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/security/pwquality.conf' '^dcredit' $var_password_pam_dcredit 'CCE-27214-6' '%s = %s'
Remediation Ansible snippet:   (show)

- name: XCCDF Value var_password_pam_dcredit # promote to variable
  set_fact:
    var_password_pam_dcredit: -1
  tags:
    - always

- name: Ensure PAM variable dcredit is set accordingly
  lineinfile:
    create=yes
    dest="/etc/security/pwquality.conf"
    regexp="^dcredit"
    line="dcredit = {{ var_password_pam_dcredit }}"
  tags:
    - accounts_password_pam_dcredit
    - medium_severity
    - CCE-27214-6
    - NIST-800-53-IA-5(1)(a)
    - NIST-800-53-IA-5(b)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-194
    - PCI-DSS-Req-8.2.3
    - DISA-STIG-RHEL-07-010140

Set Password Minimum Length   [ref]rule

The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=15 after pam_pwquality to set minimum password length requirements.

Rationale:

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.

Severity:  medium

Remediation Shell script:   (show)


var_password_pam_minlen="15"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/security/pwquality.conf' '^minlen' $var_password_pam_minlen 'CCE-27293-0' '%s = %s'
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_password_pam_minlen # promote to variable
  set_fact:
    var_password_pam_minlen: 15
  tags:
    - always

- name: Ensure PAM variable minlen is set accordingly
  lineinfile:
    create=yes
    dest="/etc/security/pwquality.conf"
    regexp="^minlen"
    line="minlen = {{ var_password_pam_minlen }}"
  tags:
    - accounts_password_pam_minlen
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27293-0
    - NIST-800-53-IA-5(1)(a)
    - PCI-DSS-Req-8.2.3
    - CJIS-5.6.2.1.1
    - DISA-STIG-RHEL-07-010280

Set Password Strength Minimum Uppercase Characters   [ref]rule

The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords.

Rationale:

Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Severity:  medium

Remediation Shell script:   (show)


var_password_pam_ucredit="-1"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/security/pwquality.conf' '^ucredit' $var_password_pam_ucredit 'CCE-27200-5' '%s = %s'
Remediation Ansible snippet:   (show)

- name: XCCDF Value var_password_pam_ucredit # promote to variable
  set_fact:
    var_password_pam_ucredit: -1
  tags:
    - always

- name: Ensure PAM variable ucredit is set accordingly
  lineinfile:
    create=yes
    dest="/etc/security/pwquality.conf"
    regexp="^ucredit"
    line="ucredit = {{ var_password_pam_ucredit }}"
  tags:
    - accounts_password_pam_ucredit
    - medium_severity
    - CCE-27200-5
    - NIST-800-53-IA-5(b)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - PCI-DSS-Req-8.2.3
    - DISA-STIG-RHEL-07-010120

Set Password Strength Minimum Special Characters   [ref]rule

The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal -1 to require use of a special character in passwords.

Rationale:

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.

Severity:  medium

Identifiers:  CCE-27360-7

References:  RHEL-07-010150, IA-5(b), IA-5(c), IA-5(1)(a), CCI-001619, SRG-OS-000266-GPOS-00101

Remediation Shell script:   (show)


var_password_pam_ocredit="-1"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/security/pwquality.conf' '^ocredit' $var_password_pam_ocredit 'CCE-27360-7' '%s = %s'
Remediation Ansible snippet:   (show)

- name: XCCDF Value var_password_pam_ocredit # promote to variable
  set_fact:
    var_password_pam_ocredit: -1
  tags:
    - always

- name: Ensure PAM variable ocredit is set accordingly
  lineinfile:
    create=yes
    dest="/etc/security/pwquality.conf"
    regexp="^ocredit"
    line="ocredit = {{ var_password_pam_ocredit }}"
  tags:
    - accounts_password_pam_ocredit
    - medium_severity
    - CCE-27360-7
    - NIST-800-53-IA-5(b)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - DISA-STIG-RHEL-07-010150

Set Password Strength Minimum Lowercase Characters   [ref]rule

The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords.

Rationale:

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.

Severity:  medium

Remediation Shell script:   (show)


var_password_pam_lcredit="-1"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/security/pwquality.conf' '^lcredit' $var_password_pam_lcredit 'CCE-27345-8' '%s = %s'
Remediation Ansible snippet:   (show)

- name: XCCDF Value var_password_pam_lcredit # promote to variable
  set_fact:
    var_password_pam_lcredit: -1
  tags:
    - always

- name: Ensure PAM variable lcredit is set accordingly
  lineinfile:
    create=yes
    dest="/etc/security/pwquality.conf"
    regexp="^lcredit"
    line="lcredit = {{ var_password_pam_lcredit }}"
  tags:
    - accounts_password_pam_lcredit
    - medium_severity
    - CCE-27345-8
    - NIST-800-53-IA-5(b)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(a)
    - PCI-DSS-Req-8.2.3
    - DISA-STIG-RHEL-07-010130

Set Password Strength Minimum Different Characters   [ref]rule

The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf to equal 8 to require differing characters when changing passwords.

Rationale:

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.

Severity:  medium

Remediation Shell script:   (show)


var_password_pam_difok="8"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/security/pwquality.conf' '^difok' $var_password_pam_difok 'CCE-26631-2' '%s = %s'
Remediation Ansible snippet:   (show)

- name: XCCDF Value var_password_pam_difok # promote to variable
  set_fact:
    var_password_pam_difok: 8
  tags:
    - always

- name: Ensure PAM variable difok is set accordingly
  lineinfile:
    create=yes
    dest="/etc/security/pwquality.conf"
    regexp="^difok"
    line="difok = {{ var_password_pam_difok }}"
  tags:
    - accounts_password_pam_difok
    - medium_severity
    - CCE-26631-2
    - NIST-800-53-IA-5(b)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(b)
    - CJIS-5.6.2.1.1
    - DISA-STIG-RHEL-07-010160

Set Password Strength Minimum Different Categories   [ref]rule

The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:

* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require 4 differing categories of characters when changing passwords.

Rationale:

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.

Severity:  medium

Identifiers:  CCE-27115-5

References:  RHEL-07-010170, IA-5, CCI-000195, SRG-OS-000072-GPOS-00040

Remediation Shell script:   (show)


var_password_pam_minclass="4"
# Function to replace configuration setting in config file or add the configuration setting if
# it does not exist.
#
# Expects four arguments:
#
# config_file:		Configuration file that will be modified
# key:			Configuration option to change
# value:		Value of the configuration option to change
# cce:			The CCE identifier or '@CCENUM@' if no CCE identifier exists
#
# Optional arugments:
#
# format:		Optional argument to specify the format of how key/value should be
# 			modified/appended in the configuration file. The default is key = value.
#
# Example Call(s):
#
#     With default format of 'key = value':
#     replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@'
#
#     With custom key/value format:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s'
#
#     With a variable:
#     replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s'
#
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal @CCENUM@.
  # If @CCENUM@ exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] && [ "$cce" != '@CCENUM@' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" "$stripped_key" "$value"
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi "$key" $config_file` ; then
    eval '$sed_command "s/$key.*/$formatted_output/g" $config_file'
  else
    # \n is precaution for case where file ends without trailing newline
    echo -e "\n# Per $cce: Set $formatted_output in $config_file" >> $config_file
    echo -e "$formatted_output" >> $config_file
  fi

}

replace_or_append '/etc/security/pwquality.conf' '^minclass' $var_password_pam_minclass 'CCE-27115-5' '%s = %s'
Remediation Ansible snippet:   (show)

- name: XCCDF Value var_password_pam_minclass # promote to variable
  set_fact:
    var_password_pam_minclass: 4
  tags:
    - always

- name: Ensure PAM variable minclass is set accordingly
  lineinfile:
    create=yes
    dest="/etc/security/pwquality.conf"
    regexp="^minclass"
    line="minclass = {{ var_password_pam_minclass }}"
  tags:
    - accounts_password_pam_minclass
    - medium_severity
    - CCE-27115-5
    - NIST-800-53-IA-5
    - DISA-STIG-RHEL-07-010170

Set Lockouts for Failed Password Attempts   [ref]group

The pam_faillock PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in /usr/share/doc/pam-VERSION/txts/README.pam_faillock.

Warning:  Locking out user accounts presents the risk of a denial-of-service attack. The lockout policy must weigh whether the risk of such a denial-of-service attack outweighs the benefits of thwarting password guessing attacks.
contains 5 rules

Set Deny For Failed Password Attempts   [ref]rule

To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so

Rationale:

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.

Severity:  medium

Remediation Shell script:   (show)


var_accounts_passwords_pam_faillock_deny="3"

AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

# This script fixes absence of pam_faillock.so in PAM stack or the
# absense of deny=[0-9]+ in pam_faillock.so arguments
# When inserting auth pam_faillock.so entries,
# the entry with preauth argument will be added before pam_unix.so module
# and entry with authfail argument will be added before pam_deny.so module.

# The placement of pam_faillock.so entries will not be changed
# if they are already present

for pamFile in "${AUTH_FILES[@]}"
do
	
	# pam_faillock.so already present?
	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

		# pam_faillock.so present, deny directive present?
		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then

			# both pam_faillock.so & deny present, just correct deny directive value
			sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
			sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile

		# pam_faillock.so present, but deny directive not yet
		else

			# append correct deny value to appropriate places
			sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
			sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
		fi

	# pam_faillock.so not present yet
	else

		# insert pam_faillock.so preauth row with proper value of the 'deny' option before pam_unix.so
		sed -i --follow-symlinks "/^auth.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
		# insert pam_faillock.so authfail row with proper value of the 'deny' option before pam_deny.so, after all modules which determine authentication outcome.
		sed -i --follow-symlinks "/^auth.*pam_deny.so.*/i auth        [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
	fi

	# add pam_faillock.so into account phase
	if ! grep -q "^account.*required.*pam_faillock.so" $pamFile; then
		sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
	fi
done

Set Lockout Time For Failed Password Attempts   [ref]rule

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so

Rationale:

Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.

Severity:  medium

Remediation Shell script:   (show)


var_accounts_passwords_pam_faillock_unlock_time="never"

AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
	
	# pam_faillock.so already present?
	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

		# pam_faillock.so present, unlock_time directive present?
		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*unlock_time=" $pamFile; then

			# both pam_faillock.so & unlock_time present, just correct unlock_time directive value
			sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(unlock_time *= *\).*/\1\2$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
			sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(unlock_time *= *\).*/\1\2$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile

		# pam_faillock.so present, but unlock_time directive not yet
		else

			# append correct unlock_time value to appropriate places
			sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ unlock_time=$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
			sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ unlock_time=$var_accounts_passwords_pam_faillock_unlock_time/" $pamFile
		fi

	# pam_faillock.so not present yet
	else

		# insert pam_faillock.so preauth & authfail rows with proper value of the 'unlock_time' option
		sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent unlock_time=$var_accounts_passwords_pam_faillock_unlock_time" $pamFile
		sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail unlock_time=$var_accounts_passwords_pam_faillock_unlock_time" $pamFile
		sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
	fi
done

Configure the root Account for Failed Password Attempts   [ref]rule

To configure the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Modify the following line in the AUTH section to add even_deny_root:
    auth required pam_faillock.so preauth silent even_deny_root deny=3 unlock_time=never fail_interval=900
  • Modify the following line in the AUTH section to add even_deny_root:
    auth [default=die] pam_faillock.so authfail even_deny_root deny=3 unlock_time=never fail_interval=900

Rationale:

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Severity:  medium

Remediation Shell script:   (show)


AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

# This script fixes absence of pam_faillock.so in PAM stack or the
# absense of even_deny_root and deny=[0-9]+ in pam_faillock.so arguments
# When inserting auth pam_faillock.so entries,
# the entry with preauth argument will be added before pam_unix.so module
# and entry with authfail argument will be added before pam_deny.so module.

# The placement of pam_faillock.so entries will not be changed
# if they are already present

for pamFile in "${AUTH_FILES[@]}"
do
	# pam_faillock.so already present?
	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

		# pam_faillock.so present, preauth even_deny_root directive present?
		if ! grep -q "^auth.*required.*pam_faillock.so.*preauth.*even_deny_root" $pamFile; then
			# even_deny_root is not present
			sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*\).*/\1 even_deny_root/" $pamFile
		fi

		# pam_faillock.so present, authfail even_deny_root directive present?
		if ! grep -q "^auth.*\[default=die\].*pam_faillock.so.*authfail.*even_deny_root" $pamFile; then
			# even_deny_root is not present
			sed -i --follow-symlinks "s/\(^auth.*\[default=die\].*pam_faillock.so.*authfail.*\).*/\1 even_deny_root/" $pamFile
		fi

	# pam_faillock.so not present yet
	else

		# insert pam_faillock.so preauth row with proper value of the 'deny' option before pam_unix.so
		sed -i --follow-symlinks "/^auth.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent even_deny_root" $pamFile
		# insert pam_faillock.so authfail row with proper value of the 'deny' option before pam_deny.so, after all modules which determine authentication outcome.
		sed -i --follow-symlinks "/^auth.*pam_deny.so.*/i auth        [default=die] pam_faillock.so authfail silent even_deny_root" $pamFile
	fi

done

Set Interval For Counting Failed Password Attempts   [ref]rule

Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an accounts after a number of incorrect login attempts within a specified time period. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900
  • Add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900
  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so

Rationale:

By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Severity:  medium

Remediation Shell script:   (show)


var_accounts_passwords_pam_faillock_fail_interval="900"

AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
	
	# pam_faillock.so already present?
	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then

		# pam_faillock.so present, 'fail_interval' directive present?
		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*fail_interval=" $pamFile; then

			# both pam_faillock.so & 'fail_interval' present, just correct 'fail_interval' directive value
			sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(fail_interval *= *\).*/\1\2$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile
			sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(fail_interval *= *\).*/\1\2$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile

		# pam_faillock.so present, but 'fail_interval' directive not yet
		else

			# append correct 'fail_interval' value to appropriate places
			sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ fail_interval=$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile
			sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ fail_interval=$var_accounts_passwords_pam_faillock_fail_interval/" $pamFile
		fi

	# pam_faillock.so not present yet
	else

		# insert pam_faillock.so preauth & authfail rows with proper value of the 'fail_interval' option
		sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent fail_interval=$var_accounts_passwords_pam_faillock_fail_interval" $pamFile
		sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail fail_interval=$var_accounts_passwords_pam_faillock_fail_interval" $pamFile
		sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
	fi
done

Limit Password Reuse   [ref]rule

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember=5 to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:

  • for the pam_unix.so case:
    password sufficient pam_unix.so ...existing_options... remember=5
  • for the pam_pwhistory.so case:
    password requisite pam_pwhistory.so ...existing_options... remember=5
The DoD STIG requirement is 5 passwords.

Rationale:

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

Severity:  medium

Remediation Shell script:   (show)


var_password_pam_unix_remember="5"

if grep -q "remember=" /etc/pam.d/system-auth; then   
	sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
else
	sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
fi

Set Password Hashing Algorithm   [ref]group

The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations.

contains 3 rules

Set PAM's Password Hashing Algorithm   [ref]rule

The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:

password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.

Rationale:

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.

Severity:  medium

Remediation Shell script:   (show)

if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" /etc/pam.d/system-auth; then   
	sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" /etc/pam.d/system-auth
fi

Set Password Hashing Algorithm in /etc/login.defs   [ref]rule

In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:

ENCRYPT_METHOD SHA512

Rationale:

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Severity:  medium

Remediation Shell script:   (show)

if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then
	sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs
else
	echo "" >> /etc/login.defs
	echo "ENCRYPT_METHOD SHA512" >> /etc/login.defs
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: Set Password Hashing Algorithm in /etc/login.defs
  lineinfile:
      dest: /etc/login.defs
      regexp: ^#?ENCRYPT_METHOD
      line: ENCRYPT_METHOD SHA512
      state: present
  tags:
    - set_password_hashing_algorithm_logindefs
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27124-7
    - NIST-800-53-IA-5(b)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(c)
    - NIST-800-53-IA-7
    - NIST-800-171-3.13.11
    - PCI-DSS-Req-8.2.1
    - CJIS-5.6.2.2
    - DISA-STIG-RHEL-07-010210

Set Password Hashing Algorithm in /etc/libuser.conf   [ref]rule

In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing:

crypt_style = sha512

Rationale:

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.

Severity:  medium

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:restrict
- name: Set Password Hashing Algorithm in /etc/libuser.conf
  lineinfile:
    dest: /etc/libuser.conf
    insertafter: "^.default]"
    regexp: ^#?crypt_style
    line: crypt_style = sha512
    state: present
  tags:
    - set_password_hashing_algorithm_libuserconf
    - medium_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27053-8
    - NIST-800-53-IA-5(b)
    - NIST-800-53-IA-5(c)
    - NIST-800-53-IA-5(1)(c)
    - NIST-800-53-IA-7
    - NIST-800-171-3.13.11
    - PCI-DSS-Req-8.2.1
    - CJIS-5.6.2.2
    - DISA-STIG-RHEL-07-010220

Secure Session Configuration Files for Login Accounts   [ref]group

When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissions as a result of user error or misconfiguration. If an attacker can modify or even read certain types of account configuration information, they can often gain full access to the affected user's account. Therefore, it is important to test and correct configuration file permissions for interactive accounts, particularly those of privileged users such as root or system administrators.

contains 4 rules

Ensure that Users Have Sensible Umask Values   [ref]group

The umask setting controls the default permissions for the creation of new files. With a default umask setting of 077, files and directories created by users will not be readable by any other user on the system. Users who wish to make specific files group- or world-readable can accomplish this by using the chmod command. Additionally, users can make all their files readable to their group by default by setting a umask of 027 in their shell configuration files. If default per-user groups exist (that is, if every user has a default group whose name is the same as that user's username and whose only member is the user), then it may even be safe for users to select a umask of 007, making it very easy to intentionally share files with groups of which the user is a member.

contains 1 rule

Set Interactive Session Timeout   [ref]rule

Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows:

TMOUT=600

Rationale:

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.

Severity:  medium

Identifiers:  CCE-27557-8

References:  RHEL-07-040160, AC-12, SC-10, CCI-001133, CCI-000361, SRG-OS-000163-GPOS-00072, 3.1.11

Remediation Shell script: