├── .gitignore ├── README.md ├── Vagrantfile ├── controls ├── RHEL-07-010010.rb ├── RHEL-07-010020.rb ├── RHEL-07-010030.rb ├── RHEL-07-010031.rb ├── RHEL-07-010040.rb ├── RHEL-07-010060.rb ├── RHEL-07-010070.rb ├── RHEL-07-010071.rb ├── RHEL-07-010072.rb ├── RHEL-07-010073.rb ├── RHEL-07-010074.rb ├── RHEL-07-010090.rb ├── RHEL-07-010100.rb ├── RHEL-07-010110.rb ├── RHEL-07-010120.rb ├── RHEL-07-010130.rb ├── RHEL-07-010140.rb ├── RHEL-07-010150.rb ├── RHEL-07-010160.rb ├── RHEL-07-010170.rb ├── RHEL-07-010180.rb ├── RHEL-07-010190.rb ├── RHEL-07-010200.rb ├── RHEL-07-010210.rb ├── RHEL-07-010220.rb ├── RHEL-07-010230.rb ├── RHEL-07-010240.rb ├── RHEL-07-010250.rb ├── RHEL-07-010260.rb ├── RHEL-07-010270.rb ├── RHEL-07-010280.rb ├── RHEL-07-010371.rb ├── RHEL-07-010372.rb ├── RHEL-07-010373.rb ├── RHEL-07-010380.rb ├── RHEL-07-010381.rb ├── RHEL-07-010400.rb ├── RHEL-07-010401.rb ├── RHEL-07-010402.rb ├── RHEL-07-010420.rb ├── RHEL-07-010430.rb ├── RHEL-07-010431.rb ├── RHEL-07-010440.rb ├── RHEL-07-010441.rb ├── RHEL-07-010442.rb ├── RHEL-07-010460.rb ├── RHEL-07-010470.rb ├── RHEL-07-010490.rb ├── RHEL-07-010500.rb ├── RHEL-07-020000.rb ├── RHEL-07-020010.rb ├── RHEL-07-020090.rb ├── RHEL-07-020130.rb ├── RHEL-07-020140.rb ├── RHEL-07-020150.rb ├── RHEL-07-020151.rb ├── RHEL-07-020152.rb ├── RHEL-07-020160.rb ├── RHEL-07-020161.rb ├── RHEL-07-020170.rb ├── RHEL-07-020200.rb ├── RHEL-07-020210.rb ├── RHEL-07-020211.rb ├── RHEL-07-020220.rb ├── RHEL-07-020230.rb ├── RHEL-07-020240.rb ├── RHEL-07-020250.rb ├── RHEL-07-020290.rb ├── RHEL-07-020300.rb ├── RHEL-07-020310.rb ├── RHEL-07-020360.rb ├── RHEL-07-020370.rb ├── RHEL-07-020620.rb ├── RHEL-07-020630.rb ├── RHEL-07-020640.rb ├── RHEL-07-020650.rb ├── RHEL-07-020660.rb ├── RHEL-07-020670.rb ├── RHEL-07-020680.rb ├── RHEL-07-020690.rb ├── RHEL-07-020700.rb ├── RHEL-07-020840.rb ├── RHEL-07-020850.rb ├── RHEL-07-020860.rb ├── RHEL-07-020870.rb ├── RHEL-07-020880.rb ├── RHEL-07-020940.rb ├── RHEL-07-021010.rb ├── RHEL-07-021011.rb ├── RHEL-07-021012.rb ├── RHEL-07-021050.rb ├── RHEL-07-021060.rb ├── RHEL-07-021160.rb ├── RHEL-07-021190.rb ├── RHEL-07-021200.rb ├── RHEL-07-021230.rb ├── RHEL-07-021240.rb ├── RHEL-07-021250.rb ├── RHEL-07-021260.rb ├── RHEL-07-021270.rb ├── RHEL-07-021280.rb ├── RHEL-07-021600.rb ├── RHEL-07-021610.rb ├── RHEL-07-021620.rb ├── RHEL-07-021760.rb ├── RHEL-07-021910.rb ├── RHEL-07-030010.rb ├── RHEL-07-030090.rb ├── RHEL-07-030310.rb ├── RHEL-07-030330.rb ├── RHEL-07-030331.rb ├── RHEL-07-030340.rb ├── RHEL-07-030350.rb ├── RHEL-07-030351.rb ├── RHEL-07-030352.rb ├── RHEL-07-030380.rb ├── RHEL-07-030381.rb ├── RHEL-07-030382.rb ├── RHEL-07-030383.rb ├── RHEL-07-030390.rb ├── RHEL-07-030391.rb ├── RHEL-07-030392.rb ├── RHEL-07-030400.rb ├── RHEL-07-030401.rb ├── RHEL-07-030402.rb ├── RHEL-07-030403.rb ├── RHEL-07-030404.rb ├── RHEL-07-030405.rb ├── RHEL-07-030420.rb ├── RHEL-07-030421.rb ├── RHEL-07-030422.rb ├── RHEL-07-030423.rb ├── RHEL-07-030424.rb ├── RHEL-07-030425.rb ├── RHEL-07-030441.rb ├── RHEL-07-030442.rb ├── RHEL-07-030443.rb ├── RHEL-07-030444.rb ├── RHEL-07-030490.rb ├── RHEL-07-030491.rb ├── RHEL-07-030492.rb ├── RHEL-07-030510.rb ├── RHEL-07-030511.rb ├── RHEL-07-030512.rb ├── RHEL-07-030513.rb ├── RHEL-07-030514.rb ├── RHEL-07-030521.rb ├── RHEL-07-030522.rb ├── RHEL-07-030523.rb ├── RHEL-07-030524.rb ├── RHEL-07-030525.rb ├── RHEL-07-030526.rb ├── RHEL-07-030530.rb ├── RHEL-07-030531.rb ├── RHEL-07-030540.rb ├── RHEL-07-030541.rb ├── RHEL-07-030550.rb ├── RHEL-07-030560.rb ├── RHEL-07-030561.rb ├── RHEL-07-030630.rb ├── RHEL-07-030670.rb ├── RHEL-07-030671.rb ├── RHEL-07-030672.rb ├── RHEL-07-030673.rb ├── RHEL-07-030674.rb ├── RHEL-07-030710.rb ├── RHEL-07-030750.rb ├── RHEL-07-030751.rb ├── RHEL-07-030752.rb ├── RHEL-07-030753.rb ├── RHEL-07-030754.rb ├── RHEL-07-030770.rb ├── RHEL-07-030780.rb ├── RHEL-07-030810.rb ├── RHEL-07-030820.rb ├── RHEL-07-040010.rb ├── RHEL-07-040020.rb ├── RHEL-07-040030.rb ├── RHEL-07-040040.rb ├── RHEL-07-040050.rb ├── RHEL-07-040060.rb ├── RHEL-07-040070.rb ├── RHEL-07-040080.rb ├── RHEL-07-040100.rb ├── RHEL-07-040110.rb ├── RHEL-07-040160.rb ├── RHEL-07-040170.rb ├── RHEL-07-040180.rb ├── RHEL-07-040181.rb ├── RHEL-07-040182.rb ├── RHEL-07-040190.rb ├── RHEL-07-040191.rb ├── RHEL-07-040210.rb ├── RHEL-07-040230.rb ├── RHEL-07-040250.rb ├── RHEL-07-040260.rb ├── RHEL-07-040261.rb ├── RHEL-07-040290.rb ├── RHEL-07-040300.rb ├── RHEL-07-040301.rb ├── RHEL-07-040310.rb ├── RHEL-07-040320.rb ├── RHEL-07-040330.rb ├── RHEL-07-040331.rb ├── RHEL-07-040332.rb ├── RHEL-07-040333.rb ├── RHEL-07-040334.rb ├── RHEL-07-040350.rb ├── RHEL-07-040351.rb ├── RHEL-07-040380.rb ├── RHEL-07-040410.rb ├── RHEL-07-040420.rb ├── RHEL-07-040421.rb ├── RHEL-07-040470.rb ├── RHEL-07-040480.rb ├── RHEL-07-040490.rb ├── RHEL-07-040500.rb ├── RHEL-07-040520.rb ├── RHEL-07-040540.rb ├── RHEL-07-040560.rb ├── RHEL-07-040580.rb ├── RHEL-07-040590.rb ├── RHEL-07-040620.rb ├── RHEL-07-040640.rb ├── RHEL-07-040650.rb ├── RHEL-07-040660.rb ├── RHEL-07-040670.rb ├── RHEL-07-040680.rb ├── RHEL-07-040690.rb ├── RHEL-07-040700.rb ├── RHEL-07-040730.rb ├── RHEL-07-040740.rb ├── RHEL-07-040810.rb ├── RHEL-07-040820.rb ├── RHEL-07-040830.rb └── RHEL-07-040860.rb ├── inspec.yml └── libraries └── iptables6.rb /.gitignore: -------------------------------------------------------------------------------- 1 | inspec.deb 2 | inspec.rpm 3 | .vagrant 4 | inspec.lock 5 | .idea 6 | .DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # inspec-stig-rhel7 2 | 3 | Inspec for RHEL7 STIG. 4 | 5 | 6 | ## RHEL7 STIG notes 7 | 8 | ### Auditd rules 9 | 10 | The official STIGs auditd rules are not in the correct syntax or outdated in a few ways. Below is the list of the issues found and how to correct them. 11 | 12 | 1. Rules with the ``key`` field missing the ``-F`` parameter breaking the rule syntax 13 | * **Fix**: Prepend the invalid ``key`` rules with ``-F`` 14 | 2. Rules where the field ``subj`` is defined is an invalid field name, the correct ``subj`` field names are ``subj_user``, ``subj_role``, ``subj_typ``, ``subj_sen``, ``subj_clr`` 15 | * **Fix**: Lines where ``-F subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023`` is defined needed to be changed to ``-F subj_user=unconfined_u -F subj_role=unconfined_r -F subj_type=unconfined_t -F subj_sen=s0-s0 -F subj_clr=c0.c1023``. Splitting it out to the correct syntax 16 | 3. Rules with the field and value ``-F auid!=4294967295`` can be set to the proper value of ``-F auid!=-1`` 17 | * **Info**: Setting the value to ``4294967295`` was a workaround due to an issue in the kernel as described [here](http://lkml.iu.edu/hypermail/linux/kernel/1304.1/01594.html). The setting can be safely set as ``-1`` now 18 | 19 | ### RHEL-07-040333 20 | 21 | The official STIG recommends RhostsRSAAuthentication to be set to ``yes`` but this this appears to be erroneous as point out by @lihkin213. It's value should be set to ``no``. The control has been updated to address this. 22 | 23 | 24 | ## Getting Started 25 | 26 | Assuming you have Vagrant installed you can use the following to 27 | get a machine capable of running the STIGs. 28 | 29 | ``` 30 | $ git clone https://github.com/inspec-stigs/inspec-stig-rhel7.git 31 | $ cd inspec-stig-rhel7 32 | $ vagrant up 33 | 34 | ``` 35 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | $inspec_url = 'https://packages.chef.io/stable/el/7/inspec-1.6.0-1.el7.x86_64.rpm' 5 | 6 | Vagrant.configure(2) do |config| 7 | config.vm.box = "centos/7" 8 | config.vm.synced_folder ".", "/vagrant", type: "nfs" 9 | config.vm.network :private_network, ip: "172.16.0.100" 10 | config.vm.provision "shell", inline: <<-SHELL 11 | rpm -qa | grep inspec || sudo yum install -y $inspec_url 12 | SHELL 13 | end 14 | -------------------------------------------------------------------------------- /controls/RHEL-07-010010.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010010 - The file permissions, ownership, and group membership of system files and commands must match the vendor values.' 8 | control 'RHEL-07-010010' do 9 | impact 1.0 10 | title 'The file permissions, ownership, and group membership of system files and commands must match the vendor values.' 11 | desc 'Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108' 12 | tag 'stig', 'RHEL-07-010010' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-010010_chk' 15 | tag fixid: 'F-RHEL-07-010010_fix' 16 | tag version: 'RHEL-07-010010' 17 | tag ruleid: 'RHEL-07-010010_rule' 18 | tag fixtext: 'Run the following command to determine which package owns the file: 19 | 20 | # rpm -qf 21 | 22 | Reset the permissions of files within a package with the following command: 23 | 24 | #rpm --setperms 25 | 26 | Reset the user and group ownership of files within a package with the following command: 27 | 28 | #rpm --setugids ' 29 | tag checktext: 'Verify the file permissions, ownership, and group membership of system files and commands match the vendor values. 30 | Check the file permissions, ownership, and group membership of system files and commands with the following command: 31 | 32 | # rpm -Va | grep \'^.M\' 33 | 34 | If there is any output from the command, this is a finding.' 35 | 36 | # START_DESCRIBE RHEL-07-010010 37 | if os[:family] == 'redhat' 38 | describe command("rpm -Va | grep '^.M'") do 39 | its('stdout') { should eq '' } 40 | end 41 | end 42 | # STOP_DESCRIBE RHEL-07-010010 43 | 44 | end 45 | 46 | -------------------------------------------------------------------------------- /controls/RHEL-07-010020.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010020 - The cryptographic hash of system files and commands must match vendor values.' 8 | control 'RHEL-07-010020' do 9 | impact 1.0 10 | title 'The cryptographic hash of system files and commands must match vendor values.' 11 | desc 'Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.' 12 | tag 'stig', 'RHEL-07-010020' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-010020_chk' 15 | tag fixid: 'F-RHEL-07-010020_fix' 16 | tag version: 'RHEL-07-010020' 17 | tag ruleid: 'RHEL-07-010020_rule' 18 | tag fixtext: 'Run the following command to determine which package owns the file: 19 | 20 | # rpm -qf 21 | 22 | The package can be reinstalled from a yum repository using the command: 23 | 24 | # sudo yum reinstall 25 | 26 | Alternatively, the package can be reinstalled from trusted media using the command: 27 | 28 | # sudo rpm -Uvh ' 29 | tag checktext: 'Verify the cryptographic hash of system files and commands match the vendor values. 30 | 31 | Check the cryptographic hash of system files and commands with the following command: 32 | 33 | Note: System configuration files (indicated by a "c" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log. 34 | 35 | # rpm -Va | grep \'^..5\' 36 | 37 | If there is any output from the command for system binaries, this is a finding.' 38 | 39 | # START_DESCRIBE RHEL-07-010020 40 | if os[:family] == 'redhat' 41 | describe command("rpm -Va | grep '^..5'") do 42 | its('stdout') { should eq '' } 43 | end 44 | end 45 | 46 | # STOP_DESCRIBE RHEL-07-010020 47 | 48 | end 49 | 50 | -------------------------------------------------------------------------------- /controls/RHEL-07-010072.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010072 - The operating system must have the screen package installed.' 8 | control 'RHEL-07-010072' do 9 | impact 0.5 10 | title 'The operating system must have the screen package installed.' 11 | desc 'A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user\'s session has idled and take action to initiate the session lock. The screen package allows for a session lock to be implemented and configured.' 12 | tag 'stig', 'RHEL-07-010072' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010072_chk' 15 | tag fixid: 'F-RHEL-07-010072_fix' 16 | tag version: 'RHEL-07-010072' 17 | tag ruleid: 'RHEL-07-010072_rule' 18 | tag fixtext: 'Install the screen package to allow the initiation a session lock after a 15-minute period of inactivity for graphical users interfaces. 19 | 20 | Install the screen program (if it is not on the system) with the following command: 21 | 22 | # yum install screen 23 | 24 | The console can now be locked with the following key combination: 25 | 26 | ctrl+a x' 27 | tag checktext: 'Verify the operating system has the screen package installed. 28 | 29 | Check to see if the screen package is installed with the following command: 30 | 31 | # yum list installed | grep screen 32 | screen-4.3.1-3-x86_64.rpm 33 | 34 | If is not installed, this is a finding.' 35 | 36 | # START_DESCRIBE RHEL-07-010072 37 | describe package('screen') do 38 | it { should be_installed } 39 | end 40 | # STOP_DESCRIBE RHEL-07-010072 41 | 42 | end 43 | 44 | -------------------------------------------------------------------------------- /controls/RHEL-07-010090.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010090 - When passwords are changed or new passwords are established, the new password must contain at least one upper-case character.' 8 | control 'RHEL-07-010090' do 9 | impact 0.5 10 | title 'When passwords are changed or new passwords are established, the new password must contain at least one upper-case character.' 11 | desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.' 12 | tag 'stig', 'RHEL-07-010090' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010090_chk' 15 | tag fixid: 'F-RHEL-07-010090_fix' 16 | tag version: 'RHEL-07-010090' 17 | tag ruleid: 'RHEL-07-010090_rule' 18 | tag fixtext: 'Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the “ucredit” option. 19 | 20 | Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): 21 | 22 | ucredit = -1' 23 | tag checktext: 'Note: The value to require a number of upper-case characters to be set is expressed as a negative number in /etc/security/pwquality.conf. 24 | 25 | Check the value for "ucredit" in /etc/security/pwquality.conf with the following command: 26 | 27 | # grep ucredit /etc/security/pwquality.conf 28 | ucredit = -1 29 | 30 | If the value of "ucredit" is not set to a negative value, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010090 33 | describe parse_config_file('/etc/security/pwquality.conf') do 34 | its('ucredit') { should match /^-/ } 35 | end 36 | # STOP_DESCRIBE RHEL-07-010090 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-010100.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010100 - When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.' 8 | control 'RHEL-07-010100' do 9 | impact 0.5 10 | title 'When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.' 11 | desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.' 12 | tag 'stig', 'RHEL-07-010100' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010100_chk' 15 | tag fixid: 'F-RHEL-07-010100_fix' 16 | tag version: 'RHEL-07-010100' 17 | tag ruleid: 'RHEL-07-010100_rule' 18 | tag fixtext: 'Configure the operating system to enforce password complexity by requiring that at least one lower-case character be used by setting the “lcredit” option. 19 | 20 | Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): 21 | 22 | lcredit = -1' 23 | tag checktext: 'Note: The value to require a number of lower-case characters to be set is expressed as a negative number in /etc/security/pwquality.conf. 24 | 25 | Check the value for "lcredit" in /etc/security/pwquality.conf with the following command: 26 | 27 | # grep lcredit /etc/security/pwquality.conf 28 | lcredit = -1 29 | 30 | If the value of "lcredit" is not set to a negative value, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010100 33 | describe parse_config_file('/etc/security/pwquality.conf') do 34 | its('lcredit') { should match /^-/ } 35 | end 36 | # STOP_DESCRIBE RHEL-07-010100 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-010110.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010110 - When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.' 8 | control 'RHEL-07-010110' do 9 | impact 0.5 10 | title 'When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.' 11 | desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.' 12 | tag 'stig', 'RHEL-07-010110' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010110_chk' 15 | tag fixid: 'F-RHEL-07-010110_fix' 16 | tag version: 'RHEL-07-010110' 17 | tag ruleid: 'RHEL-07-010110_rule' 18 | tag fixtext: 'Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the “dcredit” option. 19 | 20 | Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): 21 | 22 | dcredit = -1' 23 | tag checktext: 'Note: The value to require a number of numeric characters to be set is expressed as a negative number in /etc/security/pwquality.conf. 24 | 25 | Check the value for "dcredit" in /etc/security/pwquality.conf with the following command: 26 | 27 | # grep dcredit /etc/security/pwquality.conf 28 | dcredit = -1 29 | 30 | If the value of “dcredit” is not set to a negative value, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010110 33 | describe parse_config_file('/etc/security/pwquality.conf') do 34 | its('dcredit') { should match /^-/ } 35 | end 36 | # STOP_DESCRIBE RHEL-07-010110 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-010130.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010130 - When passwords are changed a minimum of eight of the total number of characters must be changed.' 8 | control 'RHEL-07-010130' do 9 | impact 0.5 10 | title 'When passwords are changed a minimum of eight of the total number of characters must be changed.' 11 | desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.' 12 | tag 'stig', 'RHEL-07-010130' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010130_chk' 15 | tag fixid: 'F-RHEL-07-010130_fix' 16 | tag version: 'RHEL-07-010130' 17 | tag ruleid: 'RHEL-07-010130_rule' 18 | tag fixtext: 'Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the “difok” option. 19 | 20 | Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): 21 | 22 | difok = 8' 23 | tag checktext: 'The "difok" option sets the number of characters in a password that must not be present in the old password. 24 | 25 | Check for the value of the difok option in /etc/security/pwquality.conf with the following command: 26 | 27 | # grep difok /etc/security/pwquality.conf 28 | difok = 8 29 | 30 | If the value of “difok” is set to less than 8, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010130 33 | describe parse_config_file('/etc/security/pwquality.conf') do 34 | its('difok') { should match /([8-9]|[1-9][0-9])/ } 35 | end 36 | # STOP_DESCRIBE RHEL-07-010130 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-010140.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010140 - When passwords are changed a minimum of four character classes must be changed.' 8 | control 'RHEL-07-010140' do 9 | impact 0.5 10 | title 'When passwords are changed a minimum of four character classes must be changed.' 11 | desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.' 12 | tag 'stig', 'RHEL-07-010140' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010140_chk' 15 | tag fixid: 'F-RHEL-07-010140_fix' 16 | tag version: 'RHEL-07-010140' 17 | tag ruleid: 'RHEL-07-010140_rule' 18 | tag fixtext: 'Configure the operating system to require the change of at least four character classes when passwords are changed by setting the “minclass” option. 19 | 20 | Add the following line to /etc/security/pwquality.conf conf (or modify the line to have the required value): 21 | 22 | minclass = 4' 23 | tag checktext: 'The "minclass" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). 24 | 25 | Check for the value of the “minclass” option in /etc/security/pwquality.conf with the following command: 26 | 27 | # grep minclass /etc/security/pwquality.conf 28 | minclass = 4 29 | 30 | If the value of “minclass” is set to less than 4, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010140 33 | describe parse_config_file('/etc/security/pwquality.conf') do 34 | its('minclass') { should match /([4-9]|[1-9][0-9])/ } 35 | end 36 | # STOP_DESCRIBE RHEL-07-010140 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-010150.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010150 - When passwords are changed the number of repeating consecutive characters must not be more than four characters.' 8 | control 'RHEL-07-010150' do 9 | impact 0.5 10 | title 'When passwords are changed the number of repeating consecutive characters must not be more than four characters.' 11 | desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.' 12 | tag 'stig', 'RHEL-07-010150' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010150_chk' 15 | tag fixid: 'F-RHEL-07-010150_fix' 16 | tag version: 'RHEL-07-010150' 17 | tag ruleid: 'RHEL-07-010150_rule' 18 | tag fixtext: 'Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the “maxrepeat” option. 19 | 20 | Add the following line to /etc/security/pwquality.conf conf (or modify the line to have the required value): 21 | 22 | maxrepeat = 2' 23 | tag checktext: 'The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password. 24 | 25 | Check for the value of the “maxrepeat” option in /etc/security/pwquality.conf with the following command: 26 | 27 | # grep maxrepeat /etc/security/pwquality.conf 28 | maxrepeat = 2 29 | 30 | If the value of “maxrepeat” is set to more than 2, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010150 33 | describe parse_config_file('/etc/security/pwquality.conf') do 34 | its('maxrepeat') { should match /([1-2])/ } 35 | its('maxrepeat') { should_not match /([3-9]|[1-9][0-9])/ } 36 | end 37 | # STOP_DESCRIBE RHEL-07-010150 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-010170.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010170 - The PAM system service must be configured to store only encrypted representations of passwords.' 8 | control 'RHEL-07-010170' do 9 | impact 0.5 10 | title 'The PAM system service must be configured to store only encrypted representations of passwords.' 11 | desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.' 12 | tag 'stig', 'RHEL-07-010170' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010170_chk' 15 | tag fixid: 'F-RHEL-07-010170_fix' 16 | tag version: 'RHEL-07-010170' 17 | tag ruleid: 'RHEL-07-010170_rule' 18 | tag fixtext: 'Configure the operating system to store only SHA512 encrypted representations of passwords. 19 | 20 | Add the following line in /etc/pam.d/system-auth: 21 | 22 | password sufficient pam_unix.so sha512' 23 | tag checktext: 'Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. 24 | 25 | Check that the system is configured to create SHA512 hashed passwords with the following command: 26 | 27 | # grep password /etc/pam.d/system-auth 28 | password sufficient pam_unix.so sha512 29 | 30 | If the /etc/pam.d/system-auth configuration files allow for password hashes other than SHA512 to be used, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010170 33 | describe file('/etc/pam.d/system-auth') do 34 | its('content') { should match /password\s+sufficient\s+pam_unix.so\s+sha512/ } 35 | end 36 | # STOP_DESCRIBE RHEL-07-010170 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-010180.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010180 - The shadow file must be configured to store only encrypted representations of passwords.' 8 | control 'RHEL-07-010180' do 9 | impact 0.5 10 | title 'The shadow file must be configured to store only encrypted representations of passwords.' 11 | desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.' 12 | tag 'stig', 'RHEL-07-010180' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010180_chk' 15 | tag fixid: 'F-RHEL-07-010180_fix' 16 | tag version: 'RHEL-07-010180' 17 | tag ruleid: 'RHEL-07-010180_rule' 18 | tag fixtext: 'Configure the operating system to store only SHA512 encrypted representations of passwords. 19 | 20 | Add or update the following line in /etc/login.defs: 21 | 22 | ENCRYPT_METHOD SHA512' 23 | tag checktext: 'Verify the system\'s shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. 24 | 25 | Check that the system is configured to create SHA512 hashed passwords with the following command: 26 | 27 | # grep -i encrypt /etc/login.defs 28 | ENCRYPT_METHOD SHA512 29 | 30 | If the /etc/login.defs configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010180 33 | options = { 34 | assignment_regex: /^(\w+)\s+(\w+?)\s*$/ 35 | } 36 | describe parse_config_file('/etc/login.defs', options) do 37 | its('ENCRYPT_METHOD') { should eq 'SHA512' } 38 | end 39 | # STOP_DESCRIBE RHEL-07-010180 40 | 41 | end 42 | 43 | -------------------------------------------------------------------------------- /controls/RHEL-07-010190.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010190 - User and group account administration utilities must be configured to store only encrypted representations of passwords.' 8 | control 'RHEL-07-010190' do 9 | impact 0.5 10 | title 'User and group account administration utilities must be configured to store only encrypted representations of passwords.' 11 | desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.' 12 | tag 'stig', 'RHEL-07-010190' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010190_chk' 15 | tag fixid: 'F-RHEL-07-010190_fix' 16 | tag version: 'RHEL-07-010190' 17 | tag ruleid: 'RHEL-07-010190_rule' 18 | tag fixtext: 'Configure the operating system to store only SHA512 encrypted representations of passwords. 19 | 20 | Add or update the following line in /etc/libuser.conf in the [defaults] section: 21 | 22 | crypt_style = sha512' 23 | tag checktext: 'Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. 24 | 25 | Check that the system is configured to create SHA512 hashed passwords with the following command: 26 | 27 | # cat /etc/libuser.conf | grep -i sha512 28 | [defaults] 29 | 30 | crypt_style = sha512 31 | 32 | If the "crypt_style" variable is not set to "crypt_style", is not in the defaults section, or does not exist, this is a finding.' 33 | 34 | # START_DESCRIBE RHEL-07-010190 35 | describe parse_config_file('/etc/libuser.conf') do 36 | its('defaults') { should include('crypt_style' => 'sha512') } 37 | end 38 | # STOP_DESCRIBE RHEL-07-010190 39 | 40 | end 41 | 42 | -------------------------------------------------------------------------------- /controls/RHEL-07-010200.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010200 - Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime.' 8 | control 'RHEL-07-010200' do 9 | impact 0.5 10 | title 'Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime.' 11 | desc 'Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization\'s policy regarding password reuse.' 12 | tag 'stig', 'RHEL-07-010200' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010200_chk' 15 | tag fixid: 'F-RHEL-07-010200_fix' 16 | tag version: 'RHEL-07-010200' 17 | tag ruleid: 'RHEL-07-010200_rule' 18 | tag fixtext: 'Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime. 19 | 20 | Add the following line in /etc/login.defs (or modify the line to have the required value): 21 | 22 | PASS_MIN_DAYS 1' 23 | tag checktext: 'Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts. 24 | 25 | Check for the value of “PASS_MIN_DAYS” in /etc/login.defs with the following command: 26 | 27 | # grep -i pass_min_days /etc/login.defs 28 | PASS_MIN_DAYS 1 29 | 30 | If the “PASS_MIN_DAYS” parameter value is not “1” or greater, or is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010200 33 | options = { 34 | assignment_regex: /^(\w+)\s+(\w+?)$/ 35 | } 36 | describe parse_config_file('/etc/login.defs', options) do 37 | its('PASS_MIN_DAYS') { should match /[1-9]|[0-9][1-9]/ } 38 | end 39 | # STOP_DESCRIBE RHEL-07-010200 40 | 41 | end 42 | 43 | -------------------------------------------------------------------------------- /controls/RHEL-07-010210.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | system_users = attribute('system_users', default: [], description: 'list of known system users') 8 | title 'RHEL-07-010210 - Passwords must be restricted to a 24 hours/1 day minimum lifetime.' 9 | control 'RHEL-07-010210' do 10 | impact 0.5 11 | title 'Passwords must be restricted to a 24 hours/1 day minimum lifetime.' 12 | desc 'Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization\'s policy regarding password reuse.' 13 | tag 'stig', 'RHEL-07-010210' 14 | tag severity: 'medium' 15 | tag checkid: 'C-RHEL-07-010210_chk' 16 | tag fixid: 'F-RHEL-07-010210_fix' 17 | tag version: 'RHEL-07-010210' 18 | tag ruleid: 'RHEL-07-010210_rule' 19 | tag fixtext: 'Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: 20 | 21 | # chage -m 1 [user]' 22 | tag checktext: 'Check whether the minimum time period between password changes for each user account is one day or greater. 23 | 24 | # awk -F: \'$4 < 1 {print $1}\' /etc/shadow 25 | 26 | If any results are returned that are not associated with a system account, this is a finding.' 27 | 28 | # START_DESCRIBE RHEL-07-010210 29 | if system_users.length > 0 30 | describe command("awk -F: '$4 < 1 {print $1}' /etc/shadow") do 31 | its('stdout') { should eq '' } 32 | end 33 | end 34 | # STOP_DESCRIBE RHEL-07-010210 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-010220.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010220 - Passwords for new users must be restricted to a 60-day maximum lifetime.' 8 | control 'RHEL-07-010220' do 9 | impact 0.5 10 | title 'Passwords for new users must be restricted to a 60-day maximum lifetime.' 11 | desc 'Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.' 12 | tag 'stig', 'RHEL-07-010220' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010220_chk' 15 | tag fixid: 'F-RHEL-07-010220_fix' 16 | tag version: 'RHEL-07-010220' 17 | tag ruleid: 'RHEL-07-010220_rule' 18 | tag fixtext: 'Configure the operating system to enforce a 60-day maximum password lifetime restriction. 19 | 20 | Add the following line in /etc/login.defs (or modify the line to have the required value): 21 | 22 | PASS_MAX_DAYS 60' 23 | tag checktext: 'Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts. 24 | 25 | Check for the value of “PASS_MAX_DAYS” in /etc/login.defs with the following command: 26 | 27 | # grep -i pass_max_days /etc/login.defs 28 | PASS_MAX_DAYS 60 29 | 30 | If the “PASS_MAX_DAYS” parameter value is not 60 or less, or is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010220 33 | options = { 34 | assignment_regex: /^(\w+)\s+(\w+?)$/ 35 | } 36 | describe parse_config_file('/etc/login.defs', options) do 37 | its('PASS_MAX_DAYS') { should_not eq nil } 38 | its('PASS_MAX_DAYS') { should_not match /[6-9][1-9]|[7-9][0-9]/ } 39 | end 40 | # STOP_DESCRIBE RHEL-07-010220 41 | 42 | end 43 | 44 | -------------------------------------------------------------------------------- /controls/RHEL-07-010230.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | system_users = attribute('system_users', default: [], description: 'list of known system users') 8 | title 'RHEL-07-010230 - Existing passwords must be restricted to a 60-day maximum lifetime.' 9 | control 'RHEL-07-010230' do 10 | impact 0.5 11 | title 'Existing passwords must be restricted to a 60-day maximum lifetime.' 12 | desc 'Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.' 13 | tag 'stig', 'RHEL-07-010230' 14 | tag severity: 'medium' 15 | tag checkid: 'C-RHEL-07-010230_chk' 16 | tag fixid: 'F-RHEL-07-010230_fix' 17 | tag version: 'RHEL-07-010230' 18 | tag ruleid: 'RHEL-07-010230_rule' 19 | tag fixtext: 'Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction. 20 | 21 | # chage -M 60 [user]' 22 | tag checktext: 'Check whether the maximum time period for existing passwords is restricted to 60 days. 23 | 24 | # awk -F: \'$5 > 60 {print $1}\' /etc/shadow 25 | 26 | If any results are returned that are not associated with a system account, this is a finding.' 27 | 28 | # START_DESCRIBE RHEL-07-010230 29 | if system_users.length > 0 30 | describe command("awk -F: '$5 > 60 {print $1}' /etc/shadow") do 31 | its('stdout') { should eq '' } 32 | end 33 | end 34 | # STOP_DESCRIBE RHEL-07-010230 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-010240.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010240 - Passwords must be prohibited from reuse for a minimum of five generations.' 8 | control 'RHEL-07-010240' do 9 | impact 0.5 10 | title 'Passwords must be prohibited from reuse for a minimum of five generations.' 11 | desc 'Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.' 12 | tag 'stig', 'RHEL-07-010240' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010240_chk' 15 | tag fixid: 'F-RHEL-07-010240_fix' 16 | tag version: 'RHEL-07-010240' 17 | tag ruleid: 'RHEL-07-010240_rule' 18 | tag fixtext: 'Configure the operating system to prohibit password reuse for a minimum of five generations. 19 | 20 | Add the following line in /etc/pam.d/system-auth (or modify the line to have the required value): 21 | 22 | password sufficient pam_unix.so use_authtok sha512 shadow remember=5' 23 | tag checktext: 'Verify the operating system prohibits password reuse for a minimum of five generations. 24 | 25 | Check for the value of the “remember” argument in /etc/pam.d/system-auth with the following command: 26 | 27 | # grep -i remember /etc/pam.d/system-auth 28 | password sufficient pam_unix.so use_authtok sha512 shadow remember=5 29 | 30 | If the line containing the pam_unix.so line does not have the “remember” module argument set, or the value of the “remember” module argument is set to less than “5”, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010240 33 | describe file('/etc/pam.d/system-auth') do 34 | its('content') { should match /^password\s+sufficient\s+pam_unix\.so.+??remember=([5-9]|[1-9][0-9])/ } 35 | end 36 | # STOP_DESCRIBE RHEL-07-010240 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-010250.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010250 - Passwords must be a minimum of 15 characters in length.' 8 | control 'RHEL-07-010250' do 9 | impact 0.5 10 | title 'Passwords must be a minimum of 15 characters in length.' 11 | desc 'The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.' 12 | tag 'stig', 'RHEL-07-010250' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010250_chk' 15 | tag fixid: 'F-RHEL-07-010250_fix' 16 | tag version: 'RHEL-07-010250' 17 | tag ruleid: 'RHEL-07-010250_rule' 18 | tag fixtext: 'Configure operating system to enforce a minimum 15-character password length. 19 | 20 | Add the following line to /etc/security/pwquality.conf conf (or modify the line to have the required value): 21 | 22 | minlen = 15' 23 | tag checktext: 'Verify the operating system enforces a minimum 15-character password length. The “minlen” option sets the minimum number of characters in a new password. 24 | 25 | Check for the value of the “minlen” option in /etc/security/pwquality.conf with the following command: 26 | 27 | # grep minlen /etc/security/pwquality.conf 28 | minlen = 15 29 | 30 | If the command does not return a “minlen” value of 15 or greater, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010250 33 | describe parse_config_file('/etc/security/pwquality.conf') do 34 | its('minlen') { should_not match /^\d$|^1[0-4]$/ } 35 | its('minlen') { should_not eq nil } 36 | end 37 | # STOP_DESCRIBE RHEL-07-010250 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-010260.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010260 - The system must not have accounts configured with blank or null passwords.' 8 | control 'RHEL-07-010260' do 9 | impact 1.0 10 | title 'The system must not have accounts configured with blank or null passwords.' 11 | desc 'If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.' 12 | tag 'stig', 'RHEL-07-010260' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-010260_chk' 15 | tag fixid: 'F-RHEL-07-010260_fix' 16 | tag version: 'RHEL-07-010260' 17 | tag ruleid: 'RHEL-07-010260_rule' 18 | tag fixtext: 'If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. 19 | 20 | Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" to prevent logons with empty passwords.' 21 | tag checktext: 'To verify that null passwords cannot be used, run the following command: 22 | 23 | # grep nullok /etc/pam.d/system-auth 24 | 25 | If this produces any output, it may be possible to log on with accounts with empty passwords. 26 | 27 | If null passwords can be used, this is a finding.' 28 | 29 | # START_DESCRIBE RHEL-07-010260 30 | describe file('/etc/pam.d/system-auth') do 31 | its('content') { should_not match /nullok/ } 32 | end 33 | # STOP_DESCRIBE RHEL-07-010260 34 | 35 | end 36 | 37 | -------------------------------------------------------------------------------- /controls/RHEL-07-010270.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010270 - The SSH daemon must not allow authentication using an empty password.' 8 | control 'RHEL-07-010270' do 9 | impact 1.0 10 | title 'The SSH daemon must not allow authentication using an empty password.' 11 | desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.' 12 | tag 'stig', 'RHEL-07-010270' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-010270_chk' 15 | tag fixid: 'F-RHEL-07-010270_fix' 16 | tag version: 'RHEL-07-010270' 17 | tag ruleid: 'RHEL-07-010270_rule' 18 | tag fixtext: 'To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": 19 | 20 | PermitEmptyPasswords no 21 | 22 | Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.' 23 | tag checktext: 'To determine how the SSH daemon\'s "PermitEmptyPasswords" option is set, run the following command: 24 | 25 | # grep -i PermitEmptyPasswords /etc/ssh/sshd_config 26 | 27 | If no line, a commented line, or a line indicating the value "no" is returned, the required value is set. 28 | 29 | If the required value is not set, this is a finding.' 30 | 31 | # START_DESCRIBE RHEL-07-010270 32 | describe parse_config_file('/etc/ssh/sshd_config') do 33 | its('PermitEmptyPasswords') { should_not eq "yes" } 34 | end 35 | # STOP_DESCRIBE RHEL-07-010270 36 | 37 | end 38 | 39 | -------------------------------------------------------------------------------- /controls/RHEL-07-010280.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010280 - The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.' 8 | control 'RHEL-07-010280' do 9 | impact 0.5 10 | title 'The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.' 11 | desc 'Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.' 12 | tag 'stig', 'RHEL-07-010280' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010280_chk' 15 | tag fixid: 'F-RHEL-07-010280_fix' 16 | tag version: 'RHEL-07-010280' 17 | tag ruleid: 'RHEL-07-010280_rule' 18 | tag fixtext: 'Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires. 19 | 20 | Add the following line /etc/default/useradd (or modify the line to have the required value): 21 | 22 | INACTIVE=0' 23 | tag checktext: 'Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command: 24 | 25 | # grep -i inactive /etc/default/useradd 26 | INACTIVE=0 27 | 28 | If the value is not set to “0”, is commented out, or is not defined, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-010280 31 | describe parse_config_file('/etc/default/useradd') do 32 | its('INACTIVE') { should eq '0' } 33 | end 34 | # STOP_DESCRIBE RHEL-07-010280 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-010380.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010380 - Users must provide a password for privilege escalation.' 8 | control 'RHEL-07-010380' do 9 | impact 0.5 10 | title 'Users must provide a password for privilege escalation.' 11 | desc 'Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158' 12 | tag 'stig', 'RHEL-07-010380' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010380_chk' 15 | tag fixid: 'F-RHEL-07-010380_fix' 16 | tag version: 'RHEL-07-010380' 17 | tag ruleid: 'RHEL-07-010380_rule' 18 | tag fixtext: 'Configure the operating system to require users to supply a password for privilege escalation. 19 | 20 | Check the configuration of the /etc/sudoers and /etc/sudoers.d/* files with the following command: 21 | 22 | # grep -i nopasswd /etc/sudoers /etc/sudoers.d/* 23 | 24 | Remove any occurrences of "NOPASSWD" tags in the file.' 25 | tag checktext: 'Verify the operating system requires users to supply a password for privilege escalation. 26 | 27 | Check the configuration of the /etc/sudoers and /etc/sudoers.d/* files with the following command: 28 | 29 | # grep -i nopasswd /etc/sudoers /etc/sudoers.d/* 30 | 31 | If any line is found with a "NOPASSWD" tag, this is a finding.' 32 | 33 | # START_DESCRIBE RHEL-07-010380 34 | sudoers_files = command('find /etc/sudoers* -type f 2> /dev/null').stdout.split("\n") 35 | sudoers_files.each do |sudoers_file| 36 | describe file(sudoers_file) do 37 | its('content') { should_not match /^(?!#).*(NOPASSWD|nopasswd).*$/ } 38 | end 39 | end 40 | # STOP_DESCRIBE RHEL-07-010380 41 | 42 | end 43 | -------------------------------------------------------------------------------- /controls/RHEL-07-010381.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010381 - Users must re-authenticate for privilege escalation.' 8 | control 'RHEL-07-010381' do 9 | impact 0.5 10 | title 'Users must re-authenticate for privilege escalation.' 11 | desc 'Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158' 12 | tag 'stig', 'RHEL-07-010381' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010381_chk' 15 | tag fixid: 'F-RHEL-07-010381_fix' 16 | tag version: 'RHEL-07-010381' 17 | tag ruleid: 'RHEL-07-010381_rule' 18 | tag fixtext: 'Configure the operating system to require users to reauthenticate for privilege escalation. 19 | 20 | Check the configuration of the /etc/sudoers and /etc/sudoers.d/* files with the following command: 21 | 22 | Remove any occurrences of "!authenticate" tags in the file.' 23 | tag checktext: 'Verify the operating system requires users to reauthenticate for privilege escalation. 24 | 25 | Check the configuration of the /etc/sudoers and /etc/sudoers.d/* files with the following command: 26 | 27 | # grep -i authenticate /etc/sudoers /etc/sudoers.d/* 28 | 29 | If any line is found with a "!authenticate" tag, this is a finding.' 30 | 31 | # START_DESCRIBE RHEL-07-010381 32 | sudoers_files = command('find /etc/sudoers* -type f 2> /dev/null').stdout.split("\n") 33 | sudoers_files.each do |sudoers_file| 34 | describe file(sudoers_file) do 35 | its('content') { should_not match /!authenticate/ } 36 | end 37 | end 38 | # STOP_DESCRIBE RHEL-07-010381 39 | 40 | end 41 | 42 | -------------------------------------------------------------------------------- /controls/RHEL-07-010430.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010430 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface.' 8 | control 'RHEL-07-010430' do 9 | impact 1.0 10 | title 'The operating system must not allow an unattended or automatic logon to the system via a graphical user interface.' 11 | desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.' 12 | tag 'stig', 'RHEL-07-010430' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-010430_chk' 15 | tag fixid: 'F-RHEL-07-010430_fix' 16 | tag version: 'RHEL-07-010430' 17 | tag ruleid: 'RHEL-07-010430_rule' 18 | tag fixtext: 'Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. 19 | 20 | Note: If the system does not have GNOME installed, this requirement is Not Applicable. 21 | 22 | Add or edit the line for the “AutomaticLoginEnable” parameter in the [daemon] section of the “/etc/gdm/custom.conf” file to “false”: 23 | 24 | [daemon] 25 | AutomaticLoginEnable=false' 26 | tag checktext: 'Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface. 27 | 28 | Note: If the system does not have GNOME installed, this requirement is Not Applicable. 29 | 30 | Check for the value of the “AutomaticLoginEnable” in “/etc/gdm/custom.conf” file with the following command: 31 | 32 | # grep -i automaticloginenable /etc/gdm/custom.conf 33 | AutomaticLoginEnable=false 34 | 35 | If the value of “AutomaticLoginEnable” is not set to “false”, this is a finding.' 36 | 37 | # START_DESCRIBE RHEL-07-010430 38 | custom_conf_exists = file('/etc/gdm/custom.conf').file? 39 | if custom_conf_exists 40 | describe file('/etc/gdm/custom.conf') do 41 | its('content') { should match /^AutomaticLoginEnable=false$/ } 42 | end 43 | end 44 | # STOP_DESCRIBE RHEL-07-010430 45 | 46 | end 47 | 48 | -------------------------------------------------------------------------------- /controls/RHEL-07-010431.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010431 - The operating system must not allow guest logon to the system.' 8 | control 'RHEL-07-010431' do 9 | impact 1.0 10 | title 'The operating system must not allow guest logon to the system.' 11 | desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.' 12 | tag 'stig', 'RHEL-07-010431' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-010431_chk' 15 | tag fixid: 'F-RHEL-07-010431_fix' 16 | tag version: 'RHEL-07-010431' 17 | tag ruleid: 'RHEL-07-010431_rule' 18 | tag fixtext: 'Configure the operating system to not allow a guest account to log on to the system via a graphical user interface. 19 | 20 | Note: If the system does not have GNOME installed, this requirement is Not Applicable. 21 | 22 | Add or edit the line for the “TimedLoginEnable” parameter in the [daemon] section of the “/etc/gdm/custom.conf” file to “false”: 23 | 24 | [daemon] 25 | TimedLoginEnable=false' 26 | tag checktext: 'Verify the operating system does not allow guest logon to the system via a graphical user interface. 27 | 28 | Note: If the system does not have GNOME installed, this requirement is Not Applicable. 29 | 30 | Check for the value of the “AutomaticLoginEnable” in “/etc/gdm/custom.conf” file with the following command: 31 | 32 | # grep -i timedloginenable /etc/gdm/custom.conf 33 | TimedLoginEnable=false 34 | 35 | If the value of “TimedLoginEnable” is not set to “false”, this is a finding.' 36 | 37 | # START_DESCRIBE RHEL-07-010431 38 | custom_conf_exists = file('/etc/gdm/custom.conf').file? 39 | if custom_conf_exists 40 | describe file('/etc/gdm/custom.conf') do 41 | its('content') { should match /^TimedLoginEnable=false$/ } 42 | end 43 | end 44 | # STOP_DESCRIBE RHEL-07-010431 45 | 46 | end 47 | 48 | -------------------------------------------------------------------------------- /controls/RHEL-07-010440.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010440 - The operating system must not allow empty passwords for SSH logon to the system.' 8 | control 'RHEL-07-010440' do 9 | impact 1.0 10 | title 'The operating system must not allow empty passwords for SSH logon to the system.' 11 | desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.' 12 | tag 'stig', 'RHEL-07-010440' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-010440_chk' 15 | tag fixid: 'F-RHEL-07-010440_fix' 16 | tag version: 'RHEL-07-010440' 17 | tag ruleid: 'RHEL-07-010440_rule' 18 | tag fixtext: 'Configure the operating system to not allow empty passwords for SSH logon to the system. 19 | 20 | Edit the /etc/ssh/sshd_config file to uncomment or add the line for “PermitEmptyPasswords” keyword and set the value to “no”: 21 | 22 | PermitEmptyPasswords no' 23 | tag checktext: 'Verify the operating system does not allow empty passwords to be used for SSH logon to the system. 24 | 25 | Check for the value of the PermitEmptyPasswords keyword with the following command: 26 | 27 | # grep -i permitemptypassword /etc/ssh/sshd_config 28 | PermitEmptyPasswords no 29 | 30 | If the “PermitEmptyPasswords” keyword is not set to “no”, is missing, or is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010440 33 | describe sshd_config do 34 | its('PermitEmptyPasswords') { should eq 'no' } 35 | end 36 | # STOP_DESCRIBE RHEL-07-010440 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-010441.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010441 - The operating system must not allow users to override SSH environment variables.' 8 | control 'RHEL-07-010441' do 9 | impact 0.5 10 | title 'The operating system must not allow users to override SSH environment variables.' 11 | desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.' 12 | tag 'stig', 'RHEL-07-010441' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010441_chk' 15 | tag fixid: 'F-RHEL-07-010441_fix' 16 | tag version: 'RHEL-07-010441' 17 | tag ruleid: 'RHEL-07-010441_rule' 18 | tag fixtext: 'Configure the operating system to not allow users to override environment variables to the SSH daemon. 19 | 20 | Edit the /etc/ssh/sshd_config file to uncomment or add the line for “PermitUserEnvironment” keyword and set the value to “no”: 21 | 22 | PermitUserEnvironment no' 23 | tag checktext: 'Verify the operating system does not allow users to override environment variables to the SSH daemon. 24 | 25 | Check for the value of the PermitUserEnvironment keyword with the following command: 26 | 27 | # grep -i permituserenvironment /etc/ssh/sshd_config 28 | PermitUserEnvironment no 29 | 30 | If the “PermitUserEnvironment” keyword is not set to “no”, is missing, or is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010441 33 | describe sshd_config do 34 | its('PermitUserEnvironment') { should eq 'no' } 35 | end 36 | # STOP_DESCRIBE RHEL-07-010441 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-010442.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010442 - The operating system must not allow a non-certificate trusted host SSH logon to the system.' 8 | control 'RHEL-07-010442' do 9 | impact 0.5 10 | title 'The operating system must not allow a non-certificate trusted host SSH logon to the system.' 11 | desc 'Failure to restrict system access to authenticated users negatively impacts operating system security.' 12 | tag 'stig', 'RHEL-07-010442' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-010442_chk' 15 | tag fixid: 'F-RHEL-07-010442_fix' 16 | tag version: 'RHEL-07-010442' 17 | tag ruleid: 'RHEL-07-010442_rule' 18 | tag fixtext: 'Configure the operating system to not allow a non-certificate trusted host SSH logon to the system. 19 | 20 | Edit the /etc/ssh/sshd_config file to uncomment or add the line for “HostbasedAuthentication” keyword and set the value to “no”: 21 | 22 | HostbasedAuthentication no' 23 | tag checktext: 'Verify the operating system does not allow a non-certificate trusted host SSH logon to the system. 24 | 25 | Check for the value of the HostbasedAuthentication keyword with the following command: 26 | 27 | # grep -i hostbasedauthentication /etc/ssh/sshd_config 28 | HostbasedAuthentication no 29 | 30 | If the “HostbasedAuthentication” keyword is not set to “no”, is missing, or is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-010442 33 | describe sshd_config do 34 | its('HostbasedAuthentication') { should eq 'no' } 35 | end 36 | # STOP_DESCRIBE RHEL-07-010442 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-010490.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-010490 - Unnecessary default system accounts must be removed.' 8 | control 'RHEL-07-010490' do 9 | impact 0.1 10 | title 'Unnecessary default system accounts must be removed.' 11 | desc 'Default system accounts created at install time but never used by the system may inadvertently be configured for interactive logon. Vendor accounts and software may contain accounts that provide unauthorized access to the system. All accounts that are not used to support the system and application operation must be removed from the system.' 12 | tag 'stig', 'RHEL-07-010490' 13 | tag severity: 'low' 14 | tag checkid: 'C-RHEL-07-010490_chk' 15 | tag fixid: 'F-RHEL-07-010490_fix' 16 | tag version: 'RHEL-07-010490' 17 | tag ruleid: 'RHEL-07-010490_rule' 18 | tag fixtext: 'Remove unnecessary default accounts from the system by using the account management tool or manually editing the “/etc/password” and “/etc/shadow” files.' 19 | tag checktext: 'Verify unnecessary default system accounts have been removed. 20 | 21 | Check the accounts that are on the system with the following command: 22 | 23 | # more /etc/passwd 24 | root:x:0:0:root:/root:/bin/bash 25 | bin:x:1:1:bin:/bin:/sbin/nologin 26 | daemon:x:2:2:daemon:/sbin:/sbin/nologin 27 | adm:x:3:4:adm:/var/adm:/sbin/nologin 28 | lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin 29 | sync:x:5:0:sync:/sbin:/bin/sync 30 | 31 | If unnecessary default accounts such as games or ftp exist in the “/etc/passwd” file, this is a finding.' 32 | 33 | # START_DESCRIBE RHEL-07-010490 34 | describe file('/etc/passwd') do 35 | its('content') { should_not match /^(games|ftp)/ } 36 | end 37 | # STOP_DESCRIBE RHEL-07-010490 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-020000.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020000 - The rsh-server package must not be installed.' 8 | control 'RHEL-07-020000' do 9 | impact 1.0 10 | title 'The rsh-server package must not be installed.' 11 | desc 'It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to log on using this service, the privileged user password could be compromised.' 12 | tag 'stig', 'RHEL-07-020000' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-020000_chk' 15 | tag fixid: 'F-RHEL-07-020000_fix' 16 | tag version: 'RHEL-07-020000' 17 | tag ruleid: 'RHEL-07-020000_rule' 18 | tag fixtext: 'Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: 19 | 20 | # yum remove rsh-server' 21 | tag checktext: 'Check to see if the rsh-server package is installed with the following command: 22 | 23 | # yum list installed | grep rsh-server 24 | 25 | If the rsh-server package is installed, this is a finding.' 26 | 27 | # START_DESCRIBE RHEL-07-020000 28 | describe package('rsh-server') do 29 | it { should_not be_installed } 30 | end 31 | # STOP_DESCRIBE RHEL-07-020000 32 | 33 | end 34 | 35 | -------------------------------------------------------------------------------- /controls/RHEL-07-020010.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020010 - The ypserv package must not be installed.' 8 | control 'RHEL-07-020010' do 9 | impact 1.0 10 | title 'The ypserv package must not be installed.' 11 | desc 'Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.' 12 | tag 'stig', 'RHEL-07-020010' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-020010_chk' 15 | tag fixid: 'F-RHEL-07-020010_fix' 16 | tag version: 'RHEL-07-020010' 17 | tag ruleid: 'RHEL-07-020010_rule' 18 | tag fixtext: 'Configure the operating system to disable non-essential capabilities by removing the “ypserv” package from the system with the following command: 19 | 20 | # yum remove ypserv' 21 | tag checktext: 'The NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session. 22 | 23 | Check to see if the “ypserve” package is installed with the following command: 24 | 25 | # yum list installed | grep ypserv 26 | 27 | If the “ypserv” package is installed, this is a finding.' 28 | 29 | # START_DESCRIBE RHEL-07-020010 30 | describe package('ypserv') do 31 | it { should_not be_installed } 32 | end 33 | # STOP_DESCRIBE RHEL-07-020010 34 | 35 | end 36 | 37 | -------------------------------------------------------------------------------- /controls/RHEL-07-020160.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020160 - USB mass storage must be disabled.' 8 | control 'RHEL-07-020160' do 9 | impact 0.5 10 | title 'USB mass storage must be disabled.' 11 | desc 'USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227' 12 | tag 'stig', 'RHEL-07-020160' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-020160_chk' 15 | tag fixid: 'F-RHEL-07-020160_fix' 16 | tag version: 'RHEL-07-020160' 17 | tag ruleid: 'RHEL-07-020160_rule' 18 | tag fixtext: 'Configure the operating system to disable the ability to use USB mass storage devices. 19 | 20 | Create a file under /etc/modprobe.d with the following command: 21 | 22 | #touch /etc/modprobe.d/nousbstorage 23 | 24 | Add the following line to the created file: 25 | 26 | install usb-storage /bin/true' 27 | tag checktext: 'If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable. 28 | 29 | Verify the operating system disables the ability to use USB mass storage devices. 30 | 31 | Check to see if USB mass storage is disabled with the following command: 32 | 33 | #grep -i usb-storage /etc/modprobe.d/* 34 | 35 | install usb-storage /bin/true 36 | 37 | If the command does not return any output, and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.' 38 | 39 | # START_DESCRIBE RHEL-07-020160 40 | describe command('grep -rE "install\s+usb-storage\s+/bin/true" /etc/modprobe.d/*') do 41 | its('exit_status') { should eq 0 } 42 | end 43 | # STOP_DESCRIBE RHEL-07-020160 44 | 45 | end 46 | 47 | -------------------------------------------------------------------------------- /controls/RHEL-07-020161.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020161 - File system automounter must be disabled unless required.' 8 | control 'RHEL-07-020161' do 9 | impact 0.5 10 | title 'File system automounter must be disabled unless required.' 11 | desc 'Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227' 12 | tag 'stig', 'RHEL-07-020161' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-020161_chk' 15 | tag fixid: 'F-RHEL-07-020161_fix' 16 | tag version: 'RHEL-07-020161' 17 | tag ruleid: 'RHEL-07-020161_rule' 18 | tag fixtext: 'Configure the operating system to disable the ability to automount devices. 19 | 20 | Turn off the automount service with the following command: 21 | 22 | # systemctl disable autofs 23 | 24 | If “autofs” is required for Network File System (NFS), it must be documented with the ISSO.' 25 | tag checktext: 'Verify the operating system disables the ability to automount devices. 26 | 27 | Check to see if automounter service is active with the following command: 28 | 29 | # systemctl status autofs 30 | autofs.service - Automounts filesystems on demand 31 | Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) 32 | Active: inactive (dead) 33 | 34 | If the “autofs” status is set to “active” and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.' 35 | 36 | # START_DESCRIBE RHEL-07-020161 37 | describe service('autofs') do 38 | it { should_not be_running } 39 | it { should_not be_enabled } 40 | end 41 | # STOP_DESCRIBE RHEL-07-020161 42 | 43 | end 44 | 45 | -------------------------------------------------------------------------------- /controls/RHEL-07-020200.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020200 - The operating system must remove all software components after updated versions have been installed.' 8 | control 'RHEL-07-020200' do 9 | impact 0.1 10 | title 'The operating system must remove all software components after updated versions have been installed.' 11 | desc 'Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.' 12 | tag 'stig', 'RHEL-07-020200' 13 | tag severity: 'low' 14 | tag checkid: 'C-RHEL-07-020200_chk' 15 | tag fixid: 'F-RHEL-07-020200_fix' 16 | tag version: 'RHEL-07-020200' 17 | tag ruleid: 'RHEL-07-020200_rule' 18 | tag fixtext: 'Configure the operating system to remove all software components after updated versions have been installed. 19 | 20 | Set the “clean_requirements_on_remove” option to “1” in the /etc/yum.conf file: 21 | 22 | clean_requirements_on_remove=1' 23 | tag checktext: 'Verify the operating system removes all software components after updated versions have been installed. 24 | 25 | Check if yum is configured to remove unneeded packages with the following command: 26 | 27 | # grep -i clean_requirements_on_remove /etc/yum.conf 28 | clean_requirements_on_remove=1 29 | 30 | If “clean_requirements_on_remove” is not set to “1”, “True”, or “yes”, or is not set in /etc/yum.conf, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-020200 33 | describe file('/etc/yum.conf') do 34 | its('content') { should match /^clean_requirements_on_remove=(1|True|yes)$/ } 35 | end 36 | # STOP_DESCRIBE RHEL-07-020200 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-020210.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020210 - The operating system must enable SELinux.' 8 | control 'RHEL-07-020210' do 9 | impact 1.0 10 | title 'The operating system must enable SELinux.' 11 | desc 'Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.' 12 | tag 'stig', 'RHEL-07-020210' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-020210_chk' 15 | tag fixid: 'F-RHEL-07-020210_fix' 16 | tag version: 'RHEL-07-020210' 17 | tag ruleid: 'RHEL-07-020210_rule' 18 | tag fixtext: 'Configure the operating system to verify correct operation of all security functions. 19 | 20 | Set the “Selinux” status and the “enforcing” mode by modifying the /etc/selinux/config file to have the following line: 21 | 22 | SELINUX=enforcing 23 | 24 | A reboot is required for the changes to take effect.' 25 | tag checktext: 'Verify the operating system verifies correct operation of all security functions. 26 | 27 | Check if SELinux is active and in enforcing mode with the following command: 28 | 29 | # getenforce 30 | Enforcing 31 | 32 | If the “SELinux” mode is not set to “Enforcing”, this is a finding.' 33 | 34 | # START_DESCRIBE RHEL-07-020210 35 | describe command('getenforce') do 36 | its('stdout') { should match /^Enforcing/ } 37 | end 38 | # STOP_DESCRIBE RHEL-07-020210 39 | 40 | end 41 | 42 | -------------------------------------------------------------------------------- /controls/RHEL-07-020230.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020230 - The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.' 8 | control 'RHEL-07-020230' do 9 | impact 0.5 10 | title 'The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.' 11 | desc 'Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.' 12 | tag 'stig', 'RHEL-07-020230' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-020230_chk' 15 | tag fixid: 'F-RHEL-07-020230_fix' 16 | tag version: 'RHEL-07-020230' 17 | tag ruleid: 'RHEL-07-020230_rule' 18 | tag fixtext: 'Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. 19 | 20 | Add or edit the line for the “UMASK” parameter in “/etc/login.defs” file to “077”: 21 | 22 | UMASK 077' 23 | tag checktext: 'Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. 24 | 25 | Check for the value of the “UMASK” parameter in “/etc/login.defs” file with the following command: 26 | 27 | Note: If the value of the “UMASK” parameter is set to “000” in “/etc/login.defs” file, the Severity is raised to a CAT I. 28 | 29 | # grep -i umask /etc/login.defs 30 | UMASK 077 31 | 32 | If the value for the “UMASK” parameter is not “077”, or the “UMASK” parameter is missing or is commented out, this is a finding.' 33 | 34 | # START_DESCRIBE RHEL-07-020230 35 | describe file('/etc/login.defs') do 36 | its('content') { should match /^UMASK\s+077$/ } 37 | end 38 | # STOP_DESCRIBE RHEL-07-020230 39 | 40 | end 41 | 42 | -------------------------------------------------------------------------------- /controls/RHEL-07-020240.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020240 - The operating system must be a supported release.' 8 | control 'RHEL-07-020240' do 9 | impact 1.0 10 | title 'The operating system must be a supported release.' 11 | desc 'An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.' 12 | tag 'stig', 'RHEL-07-020240' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-020240_chk' 15 | tag fixid: 'F-RHEL-07-020240_fix' 16 | tag version: 'RHEL-07-020240' 17 | tag ruleid: 'RHEL-07-020240_rule' 18 | tag fixtext: 'Upgrade to a supported version of the operating system.' 19 | tag checktext: 'Severity Override Guidance: 20 | 21 | Check the version of the operating system with the following command: 22 | 23 | # cat /etc/redhat-release 24 | 25 | Red Hat Enterprise Linux Server release 7.2 (Maipo) 26 | Current End of Life for RHEL 7 is June 30, 2024. 27 | 28 | If the release is not supported by the vendor, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-020240 31 | describe file('/etc/redhat-release') do 32 | its('content') { should match /7\.[0-3]/ } 33 | end 34 | # STOP_DESCRIBE RHEL-07-020240 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-020300.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020300 - All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.' 8 | control 'RHEL-07-020300' do 9 | impact 0.1 10 | title 'All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.' 11 | desc 'If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.' 12 | tag 'stig', 'RHEL-07-020300' 13 | tag severity: 'low' 14 | tag checkid: 'C-RHEL-07-020300_chk' 15 | tag fixid: 'F-RHEL-07-020300_fix' 16 | tag version: 'RHEL-07-020300' 17 | tag ruleid: 'RHEL-07-020300_rule' 18 | tag fixtext: 'Configure the system to define all GIDs found in the “/etc/passwd” file by modifying the “/etc/group” file to add any non-existent group referenced in the “/etc/passwd” file, or change the GIDs referenced in the “/etc/passwd” file to a group that exists in “/etc/group”.' 19 | tag checktext: 'Verify all GIDs referenced in the “/etc/passwd” file are defined in the “/etc/group” file. 20 | 21 | Check that all referenced GIDs exist with the following command: 22 | 23 | # pwck -r 24 | 25 | If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.' 26 | 27 | # START_DESCRIBE RHEL-07-020300 28 | describe command('pwck -r') do 29 | its('stdout') { should_not match /^user\s+'.*':\s+no\s+group\s+.*$/ } 30 | end 31 | # STOP_DESCRIBE RHEL-07-020300 32 | 33 | end 34 | 35 | -------------------------------------------------------------------------------- /controls/RHEL-07-020310.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020310 - The root account must be the only account having unrestricted access to the system.' 8 | control 'RHEL-07-020310' do 9 | impact 1.0 10 | title 'The root account must be the only account having unrestricted access to the system.' 11 | desc 'If an account other than root also has a User Identifier (UID) of “0”, it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of “0” afford an opportunity for potential intruders to guess a password for a privileged account.' 12 | tag 'stig', 'RHEL-07-020310' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-020310_chk' 15 | tag fixid: 'F-RHEL-07-020310_fix' 16 | tag version: 'RHEL-07-020310' 17 | tag ruleid: 'RHEL-07-020310_rule' 18 | tag fixtext: 'Change the UID of any account on the system, other than root, that has a UID of “0”. 19 | 20 | If the account is associated with system commands or applications, the UID should be changed to one greater than “0” but less than “1000”. Otherwise, assign a UID of greater than “1000” that has not already been assigned.' 21 | tag checktext: 'Check the system for duplicate UID “0” assignments with the following command: 22 | 23 | # awk -F: \'$3 == 0 {print $1}\' /etc/passwd 24 | 25 | If any accounts other than root have a UID of “0”, this is a finding.' 26 | 27 | # START_DESCRIBE RHEL-07-020310 28 | describe passwd.uids(0) do 29 | its('users') { should cmp 'root' } 30 | its('entries.length') { should eq 1 } 31 | end 32 | # STOP_DESCRIBE RHEL-07-020310 33 | 34 | end 35 | 36 | -------------------------------------------------------------------------------- /controls/RHEL-07-020360.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020360 - All files and directories must have a valid owner.' 8 | control 'RHEL-07-020360' do 9 | impact 0.5 10 | title 'All files and directories must have a valid owner.' 11 | desc 'Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier “UID” as the UID of the un-owned files.' 12 | tag 'stig', 'RHEL-07-020360' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-020360_chk' 15 | tag fixid: 'F-RHEL-07-020360_fix' 16 | tag version: 'RHEL-07-020360' 17 | tag ruleid: 'RHEL-07-020360_rule' 18 | tag fixtext: 'Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the chown command: 19 | 20 | # chown ' 21 | tag checktext: 'Verify all files and directories on the system have a valid owner. 22 | 23 | Check the owner of all files and directories with the following command: 24 | 25 | # find / -fstype local -xdev -nouser 26 | 27 | If any files on the system do not have an assigned owner, this is a finding.' 28 | 29 | # START_DESCRIBE RHEL-07-020360 30 | describe command('find / -xdev -nouser -fstype local 2> /dev/null') do 31 | its('stdout') { should eq '' } 32 | end 33 | # STOP_DESCRIBE RHEL-07-020360 34 | 35 | end 36 | 37 | -------------------------------------------------------------------------------- /controls/RHEL-07-020370.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020370 - All files and directories must have a valid group owner.' 8 | control 'RHEL-07-020370' do 9 | impact 0.5 10 | title 'All files and directories must have a valid group owner.' 11 | desc 'Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.' 12 | tag 'stig', 'RHEL-07-020370' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-020370_chk' 15 | tag fixid: 'F-RHEL-07-020370_fix' 16 | tag version: 'RHEL-07-020370' 17 | tag ruleid: 'RHEL-07-020370_rule' 18 | tag fixtext: 'Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the chgrp command: 19 | 20 | # chgrp ' 21 | tag checktext: 'Verify all files and directories on the system have a valid group. 22 | 23 | Check the owner of all files and directories with the following command: 24 | 25 | # find / -fstype local -xdev -nogroup 26 | 27 | If any files on the system do not have an assigned group, this is a finding.' 28 | 29 | # START_DESCRIBE RHEL-07-020370 30 | describe command('find / -xdev -nogroup -fstype local 2> /dev/null') do 31 | its('stdout') { should eq '' } 32 | end 33 | # STOP_DESCRIBE RHEL-07-020370 34 | 35 | end 36 | 37 | -------------------------------------------------------------------------------- /controls/RHEL-07-020620.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020620 - All local interactive users must have a home directory assigned in the /etc/passwd file.' 8 | control 'RHEL-07-020620' do 9 | impact 0.5 10 | title 'All local interactive users must have a home directory assigned in the /etc/passwd file.' 11 | desc 'If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.' 12 | tag 'stig', 'RHEL-07-020620' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-020620_chk' 15 | tag fixid: 'F-RHEL-07-020620_fix' 16 | tag version: 'RHEL-07-020620' 17 | tag ruleid: 'RHEL-07-020620_rule' 18 | tag fixtext: 'Assign home directories to all local interactive users that currently do not have a home directory assigned.' 19 | tag checktext: 'Verify local interactive users on the system have a home directory assigned. 20 | 21 | Check for missing local interactive user home directories with the following command: 22 | 23 | # pwck -r 24 | user \'lp\': directory \'/var/spool/lpd\' does not exist 25 | user \'news\': directory \'/var/spool/news\' does not exist 26 | user \'uucp\': directory \'/var/spool/uucp\' does not exist 27 | user \'smithj\': directory \'/home/smithj\' does not exist 28 | 29 | Ask the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command: 30 | 31 | # cut -d: -f 1,3 /etc/passwd | egrep ":[1-4][0-9]{2}$|:[0-9]{1,2}$" 32 | 33 | If any interactive users do not have a home directory assigned, this is a finding.' 34 | 35 | # START_DESCRIBE RHEL-07-020620 36 | # TODO: Complete this finding 37 | # describe file('') do 38 | # it { should match // } 39 | # end 40 | # STOP_DESCRIBE RHEL-07-020620 41 | 42 | end 43 | 44 | -------------------------------------------------------------------------------- /controls/RHEL-07-020630.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020630 - All local interactive user accounts, upon creation, must be assigned a home directory.' 8 | control 'RHEL-07-020630' do 9 | impact 0.5 10 | title 'All local interactive user accounts, upon creation, must be assigned a home directory.' 11 | desc 'If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.' 12 | tag 'stig', 'RHEL-07-020630' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-020630_chk' 15 | tag fixid: 'F-RHEL-07-020630_fix' 16 | tag version: 'RHEL-07-020630' 17 | tag ruleid: 'RHEL-07-020630_rule' 18 | tag fixtext: 'Configure the operating system to assign home directories to all new local interactive users by setting the “CREATE_HOME” parameter in “/etc/login.defs” to “yes” as follows. 19 | 20 | CREATE_HOME yes' 21 | tag checktext: 'Verify all local interactive users on the system are assigned a home directory upon creation. 22 | 23 | Check to see if the system is configured to create home directories for local interactive users with the following command: 24 | 25 | # grep -i create_home /etc/login.defs 26 | CREATE_HOME yes 27 | 28 | If the value for “CREATE_HOME” parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-020630 31 | describe file('/etc/login.defs') do 32 | its('content') { should match /^CREATE_HOME\s*yes$/ } 33 | end 34 | # STOP_DESCRIBE RHEL-07-020630 35 | 36 | end 37 | -------------------------------------------------------------------------------- /controls/RHEL-07-020880.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-020880 - Local initialization files must not execute world-writable programs.' 8 | control 'RHEL-07-020880' do 9 | impact 0.5 10 | title 'Local initialization files must not execute world-writable programs.' 11 | desc 'If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.' 12 | tag 'stig', 'RHEL-07-020880' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-020880_chk' 15 | tag fixid: 'F-RHEL-07-020880_fix' 16 | tag version: 'RHEL-07-020880' 17 | tag ruleid: 'RHEL-07-020880_rule' 18 | tag fixtext: 'Set the mode on files being executed by the local initialization files with the following command: 19 | 20 | # chmod 0755 ' 21 | tag checktext: 'Verify that local initialization files do not execute world-writable programs. 22 | 23 | Check the system for world-writable files with the following command: 24 | # find / -perm -002 -type f -exec ls -ld {} \; | more 25 | 26 | For all files listed, check for their presence in the local initialization files with the following commands: 27 | 28 | Note: The example will be for a system that is configured to create users’ home directories in the /home directory. 29 | 30 | # grep /home/*/.* 31 | 32 | If any local initialization files are found to reference world-writable files, this is a finding.' 33 | 34 | # START_DESCRIBE RHEL-07-020880 35 | # TODO: Complete this finding 36 | # describe file('') do 37 | # it { should match // } 38 | # end 39 | # STOP_DESCRIBE RHEL-07-020880 40 | 41 | end 42 | 43 | -------------------------------------------------------------------------------- /controls/RHEL-07-021011.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-021011 - Files systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.' 8 | control 'RHEL-07-021011' do 9 | impact 0.5 10 | title 'Files systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.' 11 | desc 'The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.' 12 | tag 'stig', 'RHEL-07-021011' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-021011_chk' 15 | tag fixid: 'F-RHEL-07-021011_fix' 16 | tag version: 'RHEL-07-021011' 17 | tag ruleid: 'RHEL-07-021011_rule' 18 | tag fixtext: 'Configure the “/etc/fstab” to use the “nosuid” option on file systems that are associated with removable media.' 19 | tag checktext: 'Verify file systems that are used for removable media are mounted with the “nosetuid” option. 20 | 21 | Check the file systems that are mounted at boot time with the following command: 22 | 23 | # more /etc/fstab 24 | 25 | UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0 26 | 27 | If a file system found in “/etc/fstab” refers to removable media and it does not have the “nosetuid” option set, this is a finding.' 28 | 29 | # START_DESCRIBE RHEL-07-021011 30 | begin 31 | fstab_lines = file('/etc/fstab').content.split("\n") 32 | rescue NoMethodError 33 | fstab_lines = [] 34 | end 35 | 36 | fstab_lines.each do |fstab_line| 37 | if fstab_line =~ /mnt|media/ and fstab_line !~ /^#/ 38 | describe command("echo '#{fstab_line}'") do 39 | its('stdout') { should match /nosetuid/ } 40 | end 41 | end 42 | end 43 | # STOP_DESCRIBE RHEL-07-021011 44 | 45 | end 46 | 47 | -------------------------------------------------------------------------------- /controls/RHEL-07-021160.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-021160 - Cron logging must be implemented.' 8 | control 'RHEL-07-021160' do 9 | impact 0.5 10 | title 'Cron logging must be implemented.' 11 | desc 'Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.' 12 | tag 'stig', 'RHEL-07-021160' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-021160_chk' 15 | tag fixid: 'F-RHEL-07-021160_fix' 16 | tag version: 'RHEL-07-021160' 17 | tag ruleid: 'RHEL-07-021160_rule' 18 | tag fixtext: 'Configure rsyslog to log all cron messages by adding or updating the following line to /etc/rsyslog.conf: 19 | 20 | cron.* /var/log/cron.log 21 | 22 | Note: The line must be added before the following entry if it exists in /etc/rsyslog.conf: 23 | *.* ~ # discards everything' 24 | tag checktext: 'Verify that rsyslog is configured to log cron events. 25 | 26 | Check the configuration of /etc/rsyslog.conf for the cron facility with the following command: 27 | 28 | Note: If another logging package is used, substitute the utility configuration file for /etc/rsyslog.conf. 29 | 30 | # grep cron /etc/rsyslog.conf 31 | cron.* /var/log/cron.log 32 | 33 | If the command does not return a response, check for cron logging all facilities by inspecting the /etc/rsyslog.conf file: 34 | 35 | # more /etc/rsyslog.conf 36 | 37 | Look for the following entry: 38 | 39 | *.* /var/log/messages 40 | 41 | If rsyslog is not logging messages for the cron facility or all facilities, this is a finding. 42 | 43 | If the entry is in the “/etc/rsyslog.conf” file but is after the entry: *.*\', this is a finding.' 44 | 45 | # START_DESCRIBE RHEL-07-021160 46 | describe file('/etc/rsyslog.conf') do 47 | its('content') { should match /^(?:cron|\*)\.\*\s+\/var\/log\/(?:cron.log|messages)$/ } 48 | end 49 | # STOP_DESCRIBE RHEL-07-021160 50 | 51 | end 52 | 53 | -------------------------------------------------------------------------------- /controls/RHEL-07-021190.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-021190 - If the cron.allow file exists it must be owned by root.' 8 | control 'RHEL-07-021190' do 9 | impact 0.5 10 | title 'If the cron.allow file exists it must be owned by root.' 11 | desc 'If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.' 12 | tag 'stig', 'RHEL-07-021190' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-021190_chk' 15 | tag fixid: 'F-RHEL-07-021190_fix' 16 | tag version: 'RHEL-07-021190' 17 | tag ruleid: 'RHEL-07-021190_rule' 18 | tag fixtext: 'Set the owner on the “/etc/cron.allow” file to root with the following command: 19 | 20 | # chown root /etc/cron.allow' 21 | tag checktext: 'Verify that the "cron.allow" file is owned by root. 22 | 23 | Check the owner of the "cron.allow" file with the following command: 24 | 25 | # l s -al /etc/cron.allow 26 | -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow 27 | 28 | If the “cron.allow” file exists and has an owner other than root, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-021190 31 | cron_allow_exists = file('/etc/cron.allow').file? 32 | if cron_allow_exists 33 | describe file('/etc/cron.allow') do 34 | it { should be_owned_by 'root' } 35 | end 36 | end 37 | # STOP_DESCRIBE RHEL-07-021190 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-021200.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-021200 - If the cron.allow file exists it must be group-owned by root.' 8 | control 'RHEL-07-021200' do 9 | impact 0.5 10 | title 'If the cron.allow file exists it must be group-owned by root.' 11 | desc 'If the group owner of the “cron.allow” file is not set to root, sensitive information could be viewed or edited by unauthorized users.' 12 | tag 'stig', 'RHEL-07-021200' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-021200_chk' 15 | tag fixid: 'F-RHEL-07-021200_fix' 16 | tag version: 'RHEL-07-021200' 17 | tag ruleid: 'RHEL-07-021200_rule' 18 | tag fixtext: 'Set the group owner on the “/etc/cron.allow” file to root with the following command: 19 | 20 | # chgrp root /etc/cron.allow' 21 | tag checktext: 'Verify that the “cron.allow” file is group-owned by root. 22 | 23 | Check the group owner of the “cron.allow” file with the following command: 24 | 25 | # ls -al /etc/cron.allow 26 | -rw------- 1 root root 6 Mar 5 2011 /etc/cron.allow 27 | 28 | If the “cron.allow” file exists and has a group owner other than root, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-021200 31 | cron_allow_exists = file('/etc/cron.allow').file? 32 | if cron_allow_exists 33 | describe file('/etc/cron.allow') do 34 | it { should be_grouped_into 'root' } 35 | end 36 | end 37 | # STOP_DESCRIBE RHEL-07-021200 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-021230.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-021230 - Kernel core dumps must be disabled unless needed.' 8 | control 'RHEL-07-021230' do 9 | impact 0.5 10 | title 'Kernel core dumps must be disabled unless needed.' 11 | desc 'Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.' 12 | tag 'stig', 'RHEL-07-021230' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-021230_chk' 15 | tag fixid: 'F-RHEL-07-021230_fix' 16 | tag version: 'RHEL-07-021230' 17 | tag ruleid: 'RHEL-07-021230_rule' 18 | tag fixtext: 'If kernel core dumps are not required, disable the “kdump” service with the following command: 19 | 20 | # systemctl disable kdump.service 21 | 22 | If kernel core dumps are required, document the need with the ISSM.' 23 | tag checktext: 'Verify that kernel core dumps are disabled unless needed. 24 | 25 | Check the status of the “kdump” service with the following command: 26 | 27 | # systemctl status kdump.service 28 | kdump.service - Crash recovery kernel arming 29 | Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled) 30 | Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago 31 | Main PID: 1130 (code=exited, status=0/SUCCESS) 32 | kernel arming. 33 | 34 | If the “kdump” service is active, ask the System Administrator (SA) if the use of the service is required and documented with the Information System Security Manager (ISSM). 35 | 36 | If the service is active and is not documented, this is a finding.' 37 | 38 | # START_DESCRIBE RHEL-07-021230 39 | describe service('kdump') do 40 | it { should_not be_running } 41 | it { should_not be_enabled } 42 | end 43 | # STOP_DESCRIBE RHEL-07-021230 44 | 45 | end 46 | 47 | -------------------------------------------------------------------------------- /controls/RHEL-07-021250.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-021250 - The system must use a separate file system for /var.' 8 | control 'RHEL-07-021250' do 9 | impact 0.1 10 | title 'The system must use a separate file system for /var.' 11 | desc 'The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.' 12 | tag 'stig', 'RHEL-07-021250' 13 | tag severity: 'low' 14 | tag checkid: 'C-RHEL-07-021250_chk' 15 | tag fixid: 'F-RHEL-07-021250_fix' 16 | tag version: 'RHEL-07-021250' 17 | tag ruleid: 'RHEL-07-021250_rule' 18 | tag fixtext: 'Migrate the /var path onto a separate file system.' 19 | tag checktext: 'Verify that a separate file system/partition has been created for /var. 20 | 21 | Check that a file system/partition has been created for /var with the following command: 22 | 23 | # grep /var /etc/fstab 24 | UUID=c274f65f /var ext4 noatime,nobarrier 1 2 25 | 26 | If a separate entry for /var is not in use, this is a finding.' 27 | 28 | # START_DESCRIBE RHEL-07-021250 29 | describe file('/etc/fstab') do 30 | its('content') { should match /\/var/ } 31 | end 32 | # STOP_DESCRIBE RHEL-07-021250 33 | 34 | end 35 | 36 | -------------------------------------------------------------------------------- /controls/RHEL-07-021260.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-021260 - The system must use /var/log/audit for the system audit data path.' 8 | control 'RHEL-07-021260' do 9 | impact 0.1 10 | title 'The system must use /var/log/audit for the system audit data path.' 11 | desc 'The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.' 12 | tag 'stig', 'RHEL-07-021260' 13 | tag severity: 'low' 14 | tag checkid: 'C-RHEL-07-021260_chk' 15 | tag fixid: 'F-RHEL-07-021260_fix' 16 | tag version: 'RHEL-07-021260' 17 | tag ruleid: 'RHEL-07-021260_rule' 18 | tag fixtext: 'Migrate the system audit data path onto a separate file system.' 19 | tag checktext: 'Verify that a separate file system/partition has been created for the system audit data path. 20 | 21 | Check that a file system/partition has been created for the system audit data path with the following command: 22 | 23 | #grep /var/log/audit /etc/fstab 24 | UUID=3645951a /var/log/audit ext4 defaults 1 2 25 | 26 | If a separate entry for /var/log/audit does not exist, ask the System Administrator (SA) if the system audit logs are being written to a different file system/partition on the system, then grep for that file system/partition. 27 | 28 | If a separate file system/partition does not exist for the system audit data path, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-021260 31 | describe file('/etc/fstab') do 32 | its('content') { should match /\/var\/log\/audit/ } 33 | end 34 | # STOP_DESCRIBE RHEL-07-021260 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-021270.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-021270 - The system must use a separate file system for /tmp (or equivalent).' 8 | control 'RHEL-07-021270' do 9 | impact 0.1 10 | title 'The system must use a separate file system for /tmp (or equivalent).' 11 | desc 'The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.' 12 | tag 'stig', 'RHEL-07-021270' 13 | tag severity: 'low' 14 | tag checkid: 'C-RHEL-07-021270_chk' 15 | tag fixid: 'F-RHEL-07-021270_fix' 16 | tag version: 'RHEL-07-021270' 17 | tag ruleid: 'RHEL-07-021270_rule' 18 | tag fixtext: 'Migrate the /tmp path onto a separate file system.' 19 | tag checktext: 'Verify that a separate file system/partition has been created for /tmp. 20 | 21 | Check that a file system/partition has been created for “/tmp” with the following command: 22 | 23 | # grep /tmp /etc/fstab 24 | UUID=7835718b /tmp ext4 nodev,nosetuid,noexec 1 2 25 | 26 | If a separate entry for /tmp is not in use, this is a finding.' 27 | 28 | # START_DESCRIBE RHEL-07-021270 29 | describe file('/etc/fstab') do 30 | its('content') { should match /\/tmp/ } 31 | end 32 | # STOP_DESCRIBE RHEL-07-021270 33 | 34 | end 35 | 36 | -------------------------------------------------------------------------------- /controls/RHEL-07-030330.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited.' 8 | control 'RHEL-07-030330' do 9 | impact 0.5 10 | title 'The operating system must off-load audit records onto a different system or media from the system being audited.' 11 | desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224' 12 | tag 'stig', 'RHEL-07-030330' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-030330_chk' 15 | tag fixid: 'F-RHEL-07-030330_fix' 16 | tag version: 'RHEL-07-030330' 17 | tag ruleid: 'RHEL-07-030330_rule' 18 | tag fixtext: 'Configure the operating system to off-load audit records onto a different system or media from the system being audited. 19 | 20 | Set the remote server option in /etc/audisp/audisp-remote.conf with the IP address of the log aggregation server.' 21 | tag checktext: 'Verify the operating system off-loads audit records onto a different system or media from the system being audited. 22 | 23 | To determine the remote server that the records are being sent to, use the following command: 24 | 25 | # grep -i remote_server /etc/audisp/audisp-remote.conf 26 | remote_server = 10.0.21.1 27 | 28 | If a remote server is not configured, or the line is commented out, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-030330 31 | describe file('/etc/audisp/audisp-remote.conf') do 32 | its('content'){ should match /^remote_server\s*=\s*(\w|\d|\.|-)+$/ } 33 | end 34 | # STOP_DESCRIBE RHEL-07-030330 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-030331.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-030331 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.' 8 | control 'RHEL-07-030331' do 9 | impact 0.5 10 | title 'The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.' 11 | desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224' 12 | tag 'stig', 'RHEL-07-030331' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-030331_chk' 15 | tag fixid: 'F-RHEL-07-030331_fix' 16 | tag version: 'RHEL-07-030331' 17 | tag ruleid: 'RHEL-07-030331_rule' 18 | tag fixtext: 'Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. 19 | 20 | Uncomment the enable_krb5 option in /etc/audisp/audisp-remote.conf and set it with the following line: 21 | 22 | enable_krb5 = yes' 23 | tag checktext: 'Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited. 24 | 25 | To determine if the transfer is encrypted, use the following command: 26 | 27 | # grep -i enable_krb5 /etc/audisp/audisp-remote.conf 28 | enable_krb5 = yes 29 | 30 | If the value of the “enable_krb5” option is not set to "yes" or the line is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-030331 33 | describe file('/etc/audisp/audisp-remote.conf') do 34 | its('content') { should match /^enable_krb5\s*=\s*yes$/ } 35 | end 36 | # STOP_DESCRIBE RHEL-07-030331 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-030491.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-030491 - The operating system must generate audit records for all unsuccessful account access events.' 8 | control 'RHEL-07-030491' do 9 | impact 0.5 10 | title 'The operating system must generate audit records for all unsuccessful account access events.' 11 | desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218' 12 | tag 'stig', 'RHEL-07-030491' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-030491_chk' 15 | tag fixid: 'F-RHEL-07-030491_fix' 16 | tag version: 'RHEL-07-030491' 17 | tag ruleid: 'RHEL-07-030491_rule' 18 | tag fixtext: 'Configure the operating system to generate audit records when unsuccessful account access events occur. 19 | 20 | Add or update the following rules in /etc/audit/rules.d/audit.rule: 21 | 22 | -w /var/run/faillock/ -p wa -k logins 23 | 24 | The audit daemon must be restarted for the changes to take effect.' 25 | tag checktext: 'Verify the operating system generates audit records when unsuccessful account access events occur. 26 | 27 | Check the file system rule in /etc/audit/rules.d/audit.rules with the following commands: 28 | 29 | # grep -i /var/run/faillock etc/audit/audit.rules 30 | 31 | -w /var/run/faillock -p wa -k logins 32 | 33 | If the command does not return any output, this is a finding.' 34 | 35 | # START_DESCRIBE RHEL-07-030491 36 | describe command('auditctl -l') do 37 | its('stdout') { should match /-w \/var\/run\/faillock\/? -p wa -k logins/ } 38 | end 39 | # STOP_DESCRIBE RHEL-07-030491 40 | 41 | end 42 | 43 | -------------------------------------------------------------------------------- /controls/RHEL-07-030492.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-030492 - The operating system must generate audit records for all successful account access events.' 8 | control 'RHEL-07-030492' do 9 | impact 0.5 10 | title 'The operating system must generate audit records for all successful account access events.' 11 | desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218' 12 | tag 'stig', 'RHEL-07-030492' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-030492_chk' 15 | tag fixid: 'F-RHEL-07-030492_fix' 16 | tag version: 'RHEL-07-030492' 17 | tag ruleid: 'RHEL-07-030492_rule' 18 | tag fixtext: 'Configure the operating system to generate audit records when successful account access events occur. 19 | 20 | Add or update the following rule in /etc/audit/rules.d/audit.rules: 21 | 22 | -w /var/log/lastlog -p wa -k logins 23 | 24 | The audit daemon must be restarted for the changes to take effect.' 25 | tag checktext: 'Verify the operating system generates audit records when successful account access events occur. 26 | 27 | Check the file system rules in /etc/audit/rules.d/audit.rules with the following commands: 28 | 29 | # grep -i /var/log/lastlog etc/audit/audit.rules 30 | 31 | -w /var/log/lastlog -p wa -k logins 32 | 33 | If the command does not return any output, this is a finding.' 34 | 35 | # START_DESCRIBE RHEL-07-030492 36 | describe auditd_rules do 37 | its('lines') { should include('-w /var/log/lastlog -p wa -k logins') } 38 | end 39 | # STOP_DESCRIBE RHEL-07-030492 40 | 41 | end 42 | 43 | -------------------------------------------------------------------------------- /controls/RHEL-07-030630.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-030630 - All uses of the pam_timestamp_check command must be audited.' 8 | control 'RHEL-07-030630' do 9 | impact 0.5 10 | title 'All uses of the pam_timestamp_check command must be audited.' 11 | desc 'Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.' 12 | tag 'stig', 'RHEL-07-030630' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-030630_chk' 15 | tag fixid: 'F-RHEL-07-030630_fix' 16 | tag version: 'RHEL-07-030630' 17 | tag ruleid: 'RHEL-07-030630_rule' 18 | tag fixtext: 'Configure the operating system to generate audit records when successful/unsuccessful attempts to use the pam_timestamp_check command occur. 19 | 20 | Add or update the following rule in /etc/audit/rules.d/audit.rules: 21 | 22 | -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F auid!=4294967295 -F subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -k privileged-pam 23 | 24 | The audit daemon must be restarted for the changes to take effect.' 25 | tag checktext: 'Verify the operating system generates audit records when successful/unsuccessful attempts to use the pam_timestamp_check command occur. 26 | 27 | Check the auditing rules in /etc/audit/rules.d/audit.rules with the following command: 28 | 29 | # grep -i /sbin/pam_timestamp_check /etc/audit/rules.d/audit.rules 30 | 31 | -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -k privileged-pam 32 | 33 | If the command does not return any output, this is a finding.' 34 | 35 | # START_DESCRIBE RHEL-07-030630 36 | describe auditd_rules.syscall('all').path('/sbin/pam_timestamp_check').perm('x').key('privileged-pam').action('always').list do 37 | it { should eq(['exit']) } 38 | end 39 | # STOP_DESCRIBE RHEL-07-030630 40 | 41 | end 42 | 43 | -------------------------------------------------------------------------------- /controls/RHEL-07-030770.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-030770 - The system must send rsyslog output to a log aggregation server.' 8 | control 'RHEL-07-030770' do 9 | impact 0.5 10 | title 'The system must send rsyslog output to a log aggregation server.' 11 | desc 'Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.' 12 | tag 'stig', 'RHEL-07-030770' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-030770_chk' 15 | tag fixid: 'F-RHEL-07-030770_fix' 16 | tag version: 'RHEL-07-030770' 17 | tag ruleid: 'RHEL-07-030770_rule' 18 | tag fixtext: 'Modify the “/etc/rsyslog.conf” file to contain a configuration line to send all “rsyslog” output to a log aggregation system: 19 | 20 | *.* @@' 21 | tag checktext: 'Verify “rsyslog” is configured to send all messages to a log aggregation server. 22 | 23 | Check the configuration of “rsyslog” with the following command: 24 | 25 | # grep @ /etc/rsyslog.conf 26 | *.* @@logagg.site.mil 27 | 28 | If there are no lines in the “/etc/rsyslog.conf” file that contain the “@” or “@@” symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all “rsyslog” output, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-030770 31 | describe file('/etc/rsyslog.conf') do 32 | it { should match /^\*\.\*\s+@{1,2}.+$/ } 33 | end 34 | # STOP_DESCRIBE RHEL-07-030770 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-030780.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-030780 - The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation.' 8 | control 'RHEL-07-030780' do 9 | impact 0.5 10 | title 'The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation.' 11 | desc 'Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system\'s logs, or could fill the system\'s storage leading to a Denial of Service. If the system is intended to be a log aggregation server its use must be documented with the ISSO.' 12 | tag 'stig', 'RHEL-07-030780' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-030780_chk' 15 | tag fixid: 'F-RHEL-07-030780_fix' 16 | tag version: 'RHEL-07-030780' 17 | tag ruleid: 'RHEL-07-030780_rule' 18 | tag fixtext: 'Modify the “/etc/rsyslog.conf” file to remove the “ModLoad imtcp” configuration line, or document the system as being used for log aggregation.' 19 | tag checktext: 'Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server. 20 | 21 | Check the configuration of rsyslog with the following command: 22 | 23 | # grep imtcp /etc/rsyslog.conf 24 | ModLoad imtcp 25 | 26 | If the "imtcp" module is being loaded in the "/etc/rsyslog.conf" file ask to see the documentation for the system being used for log aggregation. 27 | 28 | If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-030780 31 | describe file('/etc/rsyslog.conf') do 32 | it { should_not match /^ModLoad\s+imtcp$/ } 33 | end 34 | # STOP_DESCRIBE RHEL-07-030780 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-040010.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040010 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.' 8 | control 'RHEL-07-040010' do 9 | impact 0.1 10 | title 'The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.' 11 | desc 'Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.' 12 | tag 'stig', 'RHEL-07-040010' 13 | tag severity: 'low' 14 | tag checkid: 'C-RHEL-07-040010_chk' 15 | tag fixid: 'F-RHEL-07-040010_fix' 16 | tag version: 'RHEL-07-040010' 17 | tag ruleid: 'RHEL-07-040010_rule' 18 | tag fixtext: 'Configure the operating system to limit the number of concurrent sessions to 10 for all accounts and/or account types. 19 | 20 | Add the following line to the top of the /etc/security/limits.conf: 21 | 22 | * hard maxlogins 10' 23 | tag checktext: 'Verify the operating system limits the number of concurrent sessions to ten for all accounts and/or account types by issuing the following command: 24 | 25 | # grep "maxlogins" /etc/security/limits.conf 26 | * hard maxlogins 10 27 | 28 | This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. 29 | 30 | If the maxlogins item is missing or the value is not set to 10 or less for all domains that have the maxlogins item assigned, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-040010 33 | describe file('/etc/security/limits.conf') do 34 | its('content') { should match /^.+\s+hard\s+maxlogins\s+([0-9]|10)$/ } 35 | end 36 | # STOP_DESCRIBE RHEL-07-040010 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-040050.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040050 - The operating system must map the authenticated identity to the user or group account for PKI-based authentication.' 8 | control 'RHEL-07-040050' do 9 | impact 0.5 10 | title 'The operating system must map the authenticated identity to the user or group account for PKI-based authentication.' 11 | desc 'Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.' 12 | tag 'stig', 'RHEL-07-040050' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040050_chk' 15 | tag fixid: 'F-RHEL-07-040050_fix' 16 | tag version: 'RHEL-07-040050' 17 | tag ruleid: 'RHEL-07-040050_rule' 18 | tag fixtext: 'Configure the operating system to map the authenticated identity to the user or group account for PKI-based authentication by creating the common name map file with the following command: 19 | 20 | # touch /etc/pam_pkcs11/subject_mapping' 21 | tag checktext: 'Verify the operating system maps the authenticated identity to the user or group account for PKI–based authentication by verifying the common name map file exists with the following command: 22 | 23 | # ls –al /etc/pam_pkcs11/cn_map 24 | –rw–r––––– 1 root root 1294 Apr 22 17:22 /etc/pam_pkcs11/subject_mapping 25 | 26 | If the file does not exist, this is a finding.' 27 | 28 | # START_DESCRIBE RHEL-07-040050 29 | is_pam_pkcs11_installed = package('pam_pkcs11').installed? 30 | if is_pam_pkcs11_installed 31 | describe file('/etc/pam_pkcs11/subject_mapping') do 32 | it { should exist } 33 | end 34 | end 35 | # STOP_DESCRIBE RHEL-07-040050 36 | 37 | end 38 | 39 | -------------------------------------------------------------------------------- /controls/RHEL-07-040060.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040060 - The cn_map file must have mode 0644 or less permissive.' 8 | control 'RHEL-07-040060' do 9 | impact 0.5 10 | title 'The cn_map file must have mode 0644 or less permissive.' 11 | desc 'Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.' 12 | tag 'stig', 'RHEL-07-040060' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040060_chk' 15 | tag fixid: 'F-RHEL-07-040060_fix' 16 | tag version: 'RHEL-07-040060' 17 | tag ruleid: 'RHEL-07-040060_rule' 18 | tag fixtext: 'Configure the operating system to protect the file that maps the authenticated identity to the user or group account for PKI-based authentication by setting the mode on the cn_map file to “0644” with the following command: 19 | 20 | # chmod 0644 /etc/pam_pkcs11/cn_map' 21 | tag checktext: 'Verify the operating system protects the file that maps the authenticated identity to the user or group account for PKI–based authentication. 22 | 23 | Check the mode on the cn_map file with the following command: 24 | 25 | # ls –al /etc/pam_pkcs11/cn_map 26 | –rw––––––– 1 root root 1294 Apr 22 17:22 /etc/pam_pkcs11/cn_map 27 | 28 | If the cn_map file has a mode more permissive than “0644”, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-040060 31 | is_pam_pkcs11_installed = package('pam_pkcs11').installed? 32 | if is_pam_pkcs11_installed 33 | describe file('/etc/pam_pkcs11/cn_map') do 34 | its('mode') { should cmp '0644' } 35 | end 36 | end 37 | # STOP_DESCRIBE RHEL-07-040060 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-040070.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040070 - The cn_map file must be owned by root.' 8 | control 'RHEL-07-040070' do 9 | impact 0.5 10 | title 'The cn_map file must be owned by root.' 11 | desc 'Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.' 12 | tag 'stig', 'RHEL-07-040070' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040070_chk' 15 | tag fixid: 'F-RHEL-07-040070_fix' 16 | tag version: 'RHEL-07-040070' 17 | tag ruleid: 'RHEL-07-040070_rule' 18 | tag fixtext: 'Configure the operating system to protect the file that maps the authenticated identity to the user or group account for PKI-based authentication by setting the owner on the cn_map file to root with the following command: 19 | 20 | # chown root /etc/pam_pkcs11/cn_map' 21 | tag checktext: 'Verify the operating system protects the file that maps the authenticated identity to the user or group account for PKI–based authentication. 22 | 23 | Check the owner on the cn_map file with the following command: 24 | 25 | # ls –al /etc/pam_pkcs11/cn_map 26 | –rw––––––– 1 root root 1294 Apr 22 17:22 /etc/pam_pkcs11/cn_map 27 | 28 | If the cn_map file has an owner other than root, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-040070 31 | is_pam_pkcs11_installed = package('pam_pkcs11').installed? 32 | if is_pam_pkcs11_installed 33 | describe file('/etc/pam_pkcs11/cn_map') do 34 | it { should be_owned_by 'root' } 35 | end 36 | end 37 | # STOP_DESCRIBE RHEL-07-040070 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-040080.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040080 - The cn_map file must be group owned by root.' 8 | control 'RHEL-07-040080' do 9 | impact 0.5 10 | title 'The cn_map file must be group owned by root.' 11 | desc 'Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.' 12 | tag 'stig', 'RHEL-07-040080' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040080_chk' 15 | tag fixid: 'F-RHEL-07-040080_fix' 16 | tag version: 'RHEL-07-040080' 17 | tag ruleid: 'RHEL-07-040080_rule' 18 | tag fixtext: 'Configure the operating system to protect the file that maps the authenticated identity to the user or group account for PKI-based authentication by setting the group owner on the cn_map file to root with the following command: 19 | 20 | # chgrp root /etc/pam_pkcs11/cn_map' 21 | tag checktext: 'Verify the operating system protects the file that maps the authenticated identity to the user or group account for PKI–based authentication. 22 | 23 | Check the group owner on the cn_map file with the following command: 24 | 25 | # ls –al /etc/pam_pkcs11/cn_map 26 | –rw––––––– 1 root root 1294 Apr 22 17:22 /etc/pam_pkcs11/cn_map 27 | 28 | If the cn_map file has a group owner other than root, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-040080 31 | is_pam_pkcs11_installed = package('pam_pkcs11').installed? 32 | if is_pam_pkcs11_installed 33 | describe file('/etc/pam_pkcs11/cn_map') do 34 | it { should be_grouped_into 'root' } 35 | end 36 | end 37 | # STOP_DESCRIBE RHEL-07-040080 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-040300.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040300 - The system must display the date and time of the last successful account logon upon logon.' 8 | control 'RHEL-07-040300' do 9 | impact 0.1 10 | title 'The system must display the date and time of the last successful account logon upon logon.' 11 | desc 'Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.' 12 | tag 'stig', 'RHEL-07-040300' 13 | tag severity: 'low' 14 | tag checkid: 'C-RHEL-07-040300_chk' 15 | tag fixid: 'F-RHEL-07-040300_fix' 16 | tag version: 'RHEL-07-040300' 17 | tag ruleid: 'RHEL-07-040300_rule' 18 | tag fixtext: 'Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in “/etc/pam.d/postlogin”. 19 | 20 | Add the following line to the top of “/etc/pam.d/postlogin”: 21 | 22 | session required pam_lastlog.so showfailed' 23 | tag checktext: 'Verify that users are provided with feedback on when account accesses last occurred. 24 | 25 | Check that “pam_lastlog” is used and not silent with the following command: 26 | 27 | # grep pam_lastlog /etc/pam.d/postlogin 28 | 29 | session required pam_lastlog.so showfailed silent 30 | 31 | If “pam_lastlog” is missing from “/etc/pam.d/postlogin” file, or the silent option is present on the line check for the “PrintLastLog” keyword in the sshd daemon configuration file, this is a finding.' 32 | 33 | # START_DESCRIBE RHEL-07-040300 34 | describe file('/etc/pam.d/postlogin') do 35 | its('content') { should match /^session\s+required\s+pam_lastlog.so\s+.*showfailed.*$/ } 36 | its('content') { should_not match /^session\s+required\s+pam_lastlog.so\s+.*silent.*$/ } 37 | end 38 | 39 | describe sshd_config do 40 | its('PrintLastLog') { should_not eq 'silent' } 41 | end 42 | # STOP_DESCRIBE RHEL-07-040300 43 | 44 | end 45 | 46 | -------------------------------------------------------------------------------- /controls/RHEL-07-040301.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040301 - The system must display the date and time of the last successful account logon upon an SSH logon.' 8 | control 'RHEL-07-040301' do 9 | impact 0.5 10 | title 'The system must display the date and time of the last successful account logon upon an SSH logon.' 11 | desc 'Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.' 12 | tag 'stig', 'RHEL-07-040301' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040301_chk' 15 | tag fixid: 'F-RHEL-07-040301_fix' 16 | tag version: 'RHEL-07-040301' 17 | tag ruleid: 'RHEL-07-040301_rule' 18 | tag fixtext: 'Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in “/etc/pam.d/sshd” or in the “sshd_config” file used by the system (/etc/ssh/sshd_config will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). 19 | 20 | Add the following line to the top of “/etc/pam.d/sshd”: 21 | 22 | session required pam_lastlog.so showfailed 23 | 24 | Or modify the PrintLastLog line in “/etc/ssh/sshd_config” to match the following: 25 | 26 | PrintLastLog yes' 27 | tag checktext: 'Verify SSH provides users with feedback on when account accesses last occurred. 28 | 29 | Check that “PrintLastLog” keyword in the sshd daemon configuration file is used and set to “yes” with the following command: 30 | 31 | # grep -i printlastlog /etc/ssh/sshd_config 32 | PrintLastLog yes 33 | 34 | If the “PrintLastLog” keyword is set to “no”, is missing, or is commented out, this is a finding.' 35 | 36 | # START_DESCRIBE RHEL-07-040301 37 | describe sshd_config do 38 | its('PrintLastLog') { should eq 'yes' } 39 | end 40 | # STOP_DESCRIBE RHEL-07-040301 41 | 42 | end 43 | 44 | -------------------------------------------------------------------------------- /controls/RHEL-07-040310.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040310 - The system must not permit direct logons to the root account using remote access via SSH.' 8 | control 'RHEL-07-040310' do 9 | impact 0.5 10 | title 'The system must not permit direct logons to the root account using remote access via SSH.' 11 | desc 'Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.' 12 | tag 'stig', 'RHEL-07-040310' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040310_chk' 15 | tag fixid: 'F-RHEL-07-040310_fix' 16 | tag version: 'RHEL-07-040310' 17 | tag ruleid: 'RHEL-07-040310_rule' 18 | tag fixtext: 'Configure SSH to stop users from logging on remotely as the root user. 19 | 20 | Edit the appropriate /etc/ssh/sshd_config file to uncomment or add the line for the PermitRootLogin keyword and set its value to “no” (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): 21 | 22 | PermitRootLogin no' 23 | tag checktext: 'Verify remote access using SSH prevents users from logging on directly as root. 24 | 25 | Check that SSH prevents users from logging on directly as root with the following command: 26 | 27 | # grep -i permitrootlogin /etc/ssh/sshd_config 28 | PermitRootLogin no 29 | 30 | If the “PermitRootLogin” keyword is set to “yes”, is missing, or is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-040310 33 | describe sshd_config do 34 | its('PermitRootLogin') { should eq 'no' } 35 | end 36 | # STOP_DESCRIBE RHEL-07-040310 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-040330.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040330 - There must be no .shosts files on the system.' 8 | control 'RHEL-07-040330' do 9 | impact 1.0 10 | title 'There must be no .shosts files on the system.' 11 | desc 'The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.' 12 | tag 'stig', 'RHEL-07-040330' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-040330_chk' 15 | tag fixid: 'F-RHEL-07-040330_fix' 16 | tag version: 'RHEL-07-040330' 17 | tag ruleid: 'RHEL-07-040330_rule' 18 | tag fixtext: 'Remove any found .shosts files from the system. 19 | 20 | # rm /[path]/[to]/[file]/.shosts' 21 | tag checktext: 'Verify there are no .shosts files on the system. 22 | 23 | Check the system for the existence of these files with the following command: 24 | 25 | # find / -name \'*.shosts’ 26 | 27 | If any .shosts files are found on the system, this is a finding.' 28 | 29 | # START_DESCRIBE RHEL-07-040330 30 | describe command('find / -name *.shosts 2> /dev/null') do 31 | its('stdout') { should eq '' } 32 | end 33 | # STOP_DESCRIBE RHEL-07-040330 34 | 35 | end 36 | 37 | -------------------------------------------------------------------------------- /controls/RHEL-07-040331.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040331 - There must be no shosts.equiv files on the system.' 8 | control 'RHEL-07-040331' do 9 | impact 1.0 10 | title 'There must be no shosts.equiv files on the system.' 11 | desc 'The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.' 12 | tag 'stig', 'RHEL-07-040331' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-040331_chk' 15 | tag fixid: 'F-RHEL-07-040331_fix' 16 | tag version: 'RHEL-07-040331' 17 | tag ruleid: 'RHEL-07-040331_rule' 18 | tag fixtext: 'Remove any found shosts.equiv files from the system. 19 | 20 | # rm /[path]/[to]/[file]/shosts.equiv' 21 | tag checktext: 'Verify there are no shosts.equiv files on the system. 22 | 23 | Check the system for the existence of these files with the following command: 24 | 25 | # find / -name shosts.equiv 26 | 27 | If any shosts.equiv files are found on the system, this is a finding.' 28 | 29 | # START_DESCRIBE RHEL-07-040331 30 | describe command('find / -name shosts.equiv 2> /dev/null') do 31 | its('stdout') { should eq '' } 32 | end 33 | # STOP_DESCRIBE RHEL-07-040331 34 | 35 | end 36 | 37 | -------------------------------------------------------------------------------- /controls/RHEL-07-040332.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040332 - The SSH daemon must not allow authentication using known hosts authentication.' 8 | control 'RHEL-07-040332' do 9 | impact 0.5 10 | title 'The SSH daemon must not allow authentication using known hosts authentication.' 11 | desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.' 12 | tag 'stig', 'RHEL-07-040332' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040332_chk' 15 | tag fixid: 'F-RHEL-07-040332_fix' 16 | tag version: 'RHEL-07-040332' 17 | tag ruleid: 'RHEL-07-040332_rule' 18 | tag fixtext: 'Configure the SSH daemon to not allow authentication using known hosts authentication. 19 | 20 | Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to yes: 21 | 22 | IgnoreUserKnownHosts yes' 23 | tag checktext: 'Verify the SSH daemon does not allow authentication using known hosts authentication. 24 | 25 | To determine how the SSH daemon\'s "IgnoreUserKnownHosts" option is set, run the following command: 26 | 27 | # grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config 28 | 29 | IgnoreUserKnownHosts yes 30 | 31 | If the value is returned as “no”, the returned line is commented out, or no output is returned, this is a finding.' 32 | 33 | # START_DESCRIBE RHEL-07-040332 34 | describe sshd_config do 35 | its('IgnoreUserKnownHosts') { should eq 'yes' } 36 | end 37 | # STOP_DESCRIBE RHEL-07-040332 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-040333.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040333 - The SSH daemon must not allow authentication using RSA rhosts authentication.' 8 | control 'RHEL-07-040333' do 9 | impact 0.5 10 | title 'The SSH daemon must not allow authentication using RSA rhosts authentication.' 11 | desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.' 12 | tag 'stig', 'RHEL-07-040333' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040333_chk' 15 | tag fixid: 'F-RHEL-07-040333_fix' 16 | tag version: 'RHEL-07-040333' 17 | tag ruleid: 'RHEL-07-040333_rule' 18 | tag fixtext: 'Configure the SSH daemon to not allow authentication using RSA rhosts authentication. 19 | 20 | Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to yes: 21 | 22 | RhostsRSAAuthentication no' 23 | tag checktext: 'Verify the SSH daemon does not allow authentication using RSA rhosts authentication. 24 | 25 | To determine how the SSH daemon\'s "RhostsRSAAuthentication" option is set, run the following command: 26 | 27 | # grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config 28 | 29 | RhostsRSAAuthentication no 30 | 31 | If the value is returned as “yes”, the returned line is commented out, or no output is returned, this is a finding.' 32 | 33 | # START_DESCRIBE RHEL-07-040333 34 | describe sshd_config do 35 | its('RhostsRSAAuthentication') { should eq 'no' } 36 | end 37 | # STOP_DESCRIBE RHEL-07-040333 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-040334.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040334 - The SSH daemon must not allow authentication using rhosts authentication.' 8 | control 'RHEL-07-040334' do 9 | impact 0.5 10 | title 'The SSH daemon must not allow authentication using rhosts authentication.' 11 | desc 'Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.' 12 | tag 'stig', 'RHEL-07-040334' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040334_chk' 15 | tag fixid: 'F-RHEL-07-040334_fix' 16 | tag version: 'RHEL-07-040334' 17 | tag ruleid: 'RHEL-07-040334_rule' 18 | tag fixtext: 'Configure the SSH daemon to not allow authentication using known hosts authentication. 19 | 20 | Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to “yes”: 21 | 22 | IgnoreRhosts yes' 23 | tag checktext: 'Verify the SSH daemon does not allow authentication using known hosts authentication. 24 | 25 | To determine how the SSH daemon\'s "IgnoreRhosts" option is set, run the following command: 26 | 27 | # grep -i IgnoreRhosts /etc/ssh/sshd_config 28 | 29 | IgnoreRhosts yes 30 | 31 | If the value is returned as “no”, the returned line is commented out, or no output is returned, this is a finding.' 32 | 33 | # START_DESCRIBE RHEL-07-040334 34 | describe sshd_config do 35 | its('IgnoreRhosts') { should eq 'yes' } 36 | end 37 | # STOP_DESCRIBE RHEL-07-040334 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-040350.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040350 - The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.' 8 | control 'RHEL-07-040350' do 9 | impact 0.5 10 | title 'The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.' 11 | desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.' 12 | tag 'stig', 'RHEL-07-040350' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040350_chk' 15 | tag fixid: 'F-RHEL-07-040350_fix' 16 | tag version: 'RHEL-07-040350' 17 | tag ruleid: 'RHEL-07-040350_rule' 18 | tag fixtext: 'Set the system to the required kernel parameter by adding the following line to /etc/sysctl.conf (or modify the line to have the required value): 19 | 20 | net.ipv4.conf.all.accept_source_route = 0' 21 | tag checktext: 'Verify the system does not accept IPv4 source-routed packets. 22 | 23 | Check the value of the accept source route variable with the following command: 24 | 25 | # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route 26 | net.ipv4.conf.all.accept_source_route=0 27 | 28 | If the returned line does not have a value of “0”, a line is not returned, or the returned line is commented out, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-040350 31 | describe kernel_parameter('net.ipv4.conf.all.accept_source_route') do 32 | its('value') { should eq 0 } 33 | end 34 | # STOP_DESCRIBE RHEL-07-040350 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-040351.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040351 - The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.' 8 | control 'RHEL-07-040351' do 9 | impact 0.5 10 | title 'The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.' 11 | desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.' 12 | tag 'stig', 'RHEL-07-040351' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040351_chk' 15 | tag fixid: 'F-RHEL-07-040351_fix' 16 | tag version: 'RHEL-07-040351' 17 | tag ruleid: 'RHEL-07-040351_rule' 18 | tag fixtext: 'Set the system to the required kernel parameter by adding the following line to /etc/sysctl.conf (or modify the line to have the required value): 19 | 20 | net.ipv4.conf.default.accept_source_route = 0' 21 | tag checktext: 'Verify the system does not accept IPv4 source-routed packets by default. 22 | 23 | Check the value of the accept source route variable with the following command: 24 | 25 | # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route 26 | net.ipv4.conf.default.accept_source_route=0 27 | 28 | If the returned line does not have a value of “0”, a line is not returned, or the returned line is commented out, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-040351 31 | describe kernel_parameter('net.ipv4.conf.default.accept_source_route') do 32 | its('value') { should eq 0 } 33 | end 34 | # STOP_DESCRIBE RHEL-07-040351 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-040380.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040380 - The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.' 8 | control 'RHEL-07-040380' do 9 | impact 0.5 10 | title 'The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.' 11 | desc 'Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.' 12 | tag 'stig', 'RHEL-07-040380' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040380_chk' 15 | tag fixid: 'F-RHEL-07-040380_fix' 16 | tag version: 'RHEL-07-040380' 17 | tag ruleid: 'RHEL-07-040380_rule' 18 | tag fixtext: 'Set the system to the required kernel parameter with the following command: 19 | 20 | # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1' 21 | tag checktext: 'Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. 22 | 23 | Check the value of the icmp_echo_ignore_broadcasts variable with the following command: 24 | 25 | # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts 26 | net.ipv4.icmp_echo_ignore_broadcasts=1 27 | 28 | If the returned line does not have a value of “1”, a line is not returned, or the retuned line is commented out, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-040380 31 | describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do 32 | its('value') { should eq 1 } 33 | end 34 | # STOP_DESCRIBE RHEL-07-040380 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-040410.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040410 - The system must ignore to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.' 8 | control 'RHEL-07-040410' do 9 | impact 0.5 10 | title 'The system must ignore to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.' 11 | desc 'ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host\'s route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.' 12 | tag 'stig', 'RHEL-07-040410' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040410_chk' 15 | tag fixid: 'F-RHEL-07-040410_fix' 16 | tag version: 'RHEL-07-040410' 17 | tag ruleid: 'RHEL-07-040410_rule' 18 | tag fixtext: 'Set the system to the required kernel parameter by adding the following line to /etc/sysctl.conf (or modify the line to have the required value): 19 | 20 | net.ipv4.conf.all.accept_redirects = 0 21 | net.ipv4.conf.default.accept_redirects = 0' 22 | tag checktext: 'Verify the system ignores IPv4 ICMP redirect messages. 23 | 24 | Check the value of the “accept_redirects” variables with the following command: 25 | 26 | # /sbin/sysctl -a | grep \'net.ipv4.conf.*.accept_redirects\' 27 | net.ipv4.conf.default.accept_redirects=0 28 | net.ipv4.conf.all.accept_redirects=0 29 | 30 | If both of the returned line do not have a value of “0”, a line is not returned, or the retuned line is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-040410 33 | describe kernel_parameter('net.ipv4.conf.default.accept_redirects') do 34 | its('value') { should eq 0 } 35 | end 36 | 37 | describe kernel_parameter('net.ipv4.conf.all.accept_redirects') do 38 | its('value') { should eq 0 } 39 | end 40 | # STOP_DESCRIBE RHEL-07-040410 41 | 42 | end 43 | 44 | -------------------------------------------------------------------------------- /controls/RHEL-07-040420.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040420 - The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.' 8 | control 'RHEL-07-040420' do 9 | impact 0.5 10 | title 'The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.' 11 | desc 'ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system\'s route table, possibly revealing portions of the network topology.' 12 | tag 'stig', 'RHEL-07-040420' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040420_chk' 15 | tag fixid: 'F-RHEL-07-040420_fix' 16 | tag version: 'RHEL-07-040420' 17 | tag ruleid: 'RHEL-07-040420_rule' 18 | tag fixtext: 'Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. 19 | 20 | Set the system to the required kernel parameter by adding the following line to /etc/sysctl.conf (or modify the line to have the required value): 21 | 22 | net.ipv4.conf.default.send_redirects=0' 23 | tag checktext: 'Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default. 24 | 25 | Check the value of the "default send_redirects" variables with the following command: 26 | 27 | # /sbin/sysctl -a | grep \'net.ipv4.conf.default.send_redirects\' 28 | net.ipv4.conf.default.send_redirects=0 29 | 30 | If the returned line does not have a value of “0”, a line is not returned, or the retuned line is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-040420 33 | describe kernel_parameter('net.ipv4.conf.default.send_redirects') do 34 | its('value') { should eq 0 } 35 | end 36 | # STOP_DESCRIBE RHEL-07-040420 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-040421.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040421 - The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.' 8 | control 'RHEL-07-040421' do 9 | impact 0.5 10 | title 'The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.' 11 | desc 'ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system\'s route table, possibly revealing portions of the network topology.' 12 | tag 'stig', 'RHEL-07-040421' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040421_chk' 15 | tag fixid: 'F-RHEL-07-040421_fix' 16 | tag version: 'RHEL-07-040421' 17 | tag ruleid: 'RHEL-07-040421_rule' 18 | tag fixtext: 'Configure the system to not allow interfaces to perform IPv4 ICMP redirects. 19 | 20 | Set the system to the required kernel parameter by adding the following line to /etc/sysctl.conf (or modify the line to have the required value): 21 | 22 | net.ipv4.conf.all.send_redirects=0' 23 | tag checktext: 'Verify the system does not send IPv4 ICMP redirect messages. 24 | 25 | Check the value of the "all send_redirects" variables with the following command: 26 | 27 | # /sbin/sysctl -a | grep net.ipv4.conf.all.send_redirects 28 | 29 | net.ipv4.conf.all.send_redirects=0 30 | 31 | If the returned line does not have a value of “0”, a line is not returned, or the retuned line is commented out, this is a finding.' 32 | 33 | # START_DESCRIBE RHEL-07-040421 34 | describe kernel_parameter('net.ipv4.conf.all.send_redirects') do 35 | its('value') { should eq 0 } 36 | end 37 | # STOP_DESCRIBE RHEL-07-040421 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-040470.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040470 - Network interfaces must not be in promiscuous mode.' 8 | control 'RHEL-07-040470' do 9 | impact 0.5 10 | title 'Network interfaces must not be in promiscuous mode.' 11 | desc 'Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Manager (ISSM) and restricted to only authorized personnel.' 12 | tag 'stig', 'RHEL-07-040470' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040470_chk' 15 | tag fixid: 'F-RHEL-07-040470_fix' 16 | tag version: 'RHEL-07-040470' 17 | tag ruleid: 'RHEL-07-040470_rule' 18 | tag fixtext: 'Configure network interfaces to turn off promiscuous mode unless approved by the ISSM and documented. 19 | 20 | Set the promiscuous mode of an interface to off with the following command: 21 | 22 | #ip link set dev multicast off promisc off' 23 | tag checktext: 'Verify network interfaces are not in promiscuous mode unless approved by the Information System Security Manager (ISSM) and documented. 24 | 25 | Check for the status with the following command: 26 | 27 | # ip link | grep -i promisc 28 | 29 | If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSM and documented, this is a finding.' 30 | 31 | # START_DESCRIBE RHEL-07-040470 32 | describe command('ip link | grep -i promisc') do 33 | its('stdout') { should match /^$/ } 34 | its('exit_status') { should eq 1 } 35 | end 36 | # STOP_DESCRIBE RHEL-07-040470 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-040490.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040490 - A File Transfer Protocol (FTP) server package must not be installed unless needed.' 8 | control 'RHEL-07-040490' do 9 | impact 1.0 10 | title 'A File Transfer Protocol (FTP) server package must not be installed unless needed.' 11 | desc 'The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.' 12 | tag 'stig', 'RHEL-07-040490' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-040490_chk' 15 | tag fixid: 'F-RHEL-07-040490_fix' 16 | tag version: 'RHEL-07-040490' 17 | tag ruleid: 'RHEL-07-040490_rule' 18 | tag fixtext: 'Document the "lftpd" package with the ISSO as an operational requirement or remove it from the system with the following command: 19 | 20 | # yum remove lftpd' 21 | tag checktext: 'Verify a lightweight FTP server has not been installed on the system. 22 | 23 | Check to see if a lightweight FTP server has been installed with the following commands: 24 | 25 | # yum list installed | grep lftpd 26 | lftp-4.4.8-7.el7.x86_64.rpm 27 | 28 | An alternate method of determining if a lightweight FTP server is active on the server is to use the following command: 29 | 30 | # netstat -a | grep 21 31 | 32 | If “lftpd” is installed, or if an application is listening on port 21, and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.' 33 | 34 | # START_DESCRIBE RHEL-07-040490 35 | describe package('lftpd') do 36 | it { should_not be_installed } 37 | end 38 | 39 | describe port(21) do 40 | it { should_not be_listening } 41 | end 42 | # STOP_DESCRIBE RHEL-07-040490 43 | 44 | end 45 | 46 | -------------------------------------------------------------------------------- /controls/RHEL-07-040500.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040500 - The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.' 8 | control 'RHEL-07-040500' do 9 | impact 1.0 10 | title 'The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.' 11 | desc 'If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Manager (ISSM), restricted to only authorized personnel, and have access control rules established.' 12 | tag 'stig', 'RHEL-07-040500' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-040500_chk' 15 | tag fixid: 'F-RHEL-07-040500_fix' 16 | tag version: 'RHEL-07-040500' 17 | tag ruleid: 'RHEL-07-040500_rule' 18 | tag fixtext: 'Remove the TFTP package from the system with the following command: 19 | 20 | # yum remove tftp' 21 | tag checktext: 'Verify a TFTP server has not been installed on the system. 22 | 23 | Check to see if a TFTP server has been installed with the following command: 24 | 25 | # yum list installed | grep tftp-server 26 | tftp-server-0.49-9.el7.x86_64.rpm 27 | 28 | An alternate method of determining if a TFTP server is active on the server is to use the following commands: 29 | 30 | # netstat -a | grep 69 31 | # netstat -a | grep 8099 32 | 33 | If TFTP is installed and the requirement for TFTP is not documented with the ISSM, this is a finding.' 34 | 35 | # START_DESCRIBE RHEL-07-040500 36 | describe package('tftp') do 37 | it { should_not be_installed } 38 | end 39 | 40 | describe port('69') do 41 | it { should_not be_listening } 42 | end 43 | 44 | describe port('8099') do 45 | it { should_not be_listening } 46 | end 47 | # STOP_DESCRIBE RHEL-07-040500 48 | 49 | end 50 | 51 | -------------------------------------------------------------------------------- /controls/RHEL-07-040520.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040520 - If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.' 8 | control 'RHEL-07-040520' do 9 | impact 0.5 10 | title 'If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.' 11 | desc 'Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.' 12 | tag 'stig', 'RHEL-07-040520' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040520_chk' 15 | tag fixid: 'F-RHEL-07-040520_fix' 16 | tag version: 'RHEL-07-040520' 17 | tag ruleid: 'RHEL-07-040520_rule' 18 | tag fixtext: 'Configure the TFTP daemon to operate in secure mode by adding the following line to /etc/xinetd.d/tftp (or modify the line to have the required value): 19 | 20 | server_args = -s /var/lib/tftpboot' 21 | tag checktext: 'Verify the TFTP daemon is configured to operate in secure mode. 22 | 23 | Check to see if a TFTP server has been installed with the following commands: 24 | 25 | # yum list installed | grep tftp 26 | tftp-0.49-9.el7.x86_64.rpm 27 | 28 | If a TFTP server is not installed, this is Not Applicable. 29 | 30 | If a TFTP server is installed, check for the server arguments with the following command: 31 | 32 | # grep server_arge /etc/xinetd.d/tftp 33 | server_args = -s /var/lib/tftpboot 34 | 35 | If the “server_args” line does not have a -s option and the directory /var/lib/tftpboot, this is a finding.' 36 | 37 | # START_DESCRIBE RHEL-07-040520 38 | is_tftp_installed = package('tftp').installed? 39 | if is_tftp_installed 40 | describe file('/etc/xinetd.d/tftp') do 41 | its('content') { should match /^server_args\s*=.*-s.*$/ } 42 | its('content') { should match /^server_args\s*=.*\/var\/lib\/tftpboot.*$/ } 43 | end 44 | end 45 | # STOP_DESCRIBE RHEL-07-040520 46 | 47 | end 48 | 49 | -------------------------------------------------------------------------------- /controls/RHEL-07-040540.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040540 - Remote X connections for interactive users must be encrypted.' 8 | control 'RHEL-07-040540' do 9 | impact 1.0 10 | title 'Remote X connections for interactive users must be encrypted.' 11 | desc 'Open X displays allow an attacker to capture keystrokes and execute commands remotely.' 12 | tag 'stig', 'RHEL-07-040540' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-040540_chk' 15 | tag fixid: 'F-RHEL-07-040540_fix' 16 | tag version: 'RHEL-07-040540' 17 | tag ruleid: 'RHEL-07-040540_rule' 18 | tag fixtext: 'Configure SSH to encrypt connections for interactive users. 19 | 20 | Edit the /etc/ssh/sshd_config file to uncomment or add the line for the X11Forwarding keyword and set its value to “yes” (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): 21 | 22 | X11Fowarding yes' 23 | tag checktext: 'Verify remote X connections for interactive users are encrypted. 24 | 25 | Check that remote X connections are encrypted with the following command: 26 | 27 | # grep -i x11forwarding /etc/ssh/sshd_config 28 | X11Fowarding yes 29 | 30 | If the X11Forwarding keyword is set to "no", is missing, or is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-040540 33 | describe sshd_config do 34 | its('X11Forwarding') { should eq 'yes' } 35 | end 36 | # STOP_DESCRIBE RHEL-07-040540 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-040560.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040560 - An X Windows display manager must not be installed unless approved.' 8 | control 'RHEL-07-040560' do 9 | impact 0.5 10 | title 'An X Windows display manager must not be installed unless approved.' 11 | desc 'Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. X Windows has a long history of security vulnerabilities and will not be used unless approved and documented.' 12 | tag 'stig', 'RHEL-07-040560' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040560_chk' 15 | tag fixid: 'F-RHEL-07-040560_fix' 16 | tag version: 'RHEL-07-040560' 17 | tag ruleid: 'RHEL-07-040560_rule' 18 | tag fixtext: 'Document the requirement for an X Windows server with the ISSM or remove the related packages with the following commands: 19 | 20 | #yum groupremove "X Window System" 21 | 22 | #yum remove xorg-x11-server-common' 23 | tag checktext: 'Verify that if the system has X Windows installed, it is authorized. 24 | 25 | Check for the X11 package with the following command: 26 | 27 | #yum groupinstall "X Window System" 28 | 29 | Ask the System Administrator (SA) if use of the X Windows system is an operational requirement. 30 | 31 | If the use of X Windows on the system is not documented with the Information System Security Manager (ISSM), this is a finding.' 32 | 33 | # START_DESCRIBE RHEL-07-040560 34 | describe package('xorg-x11-server-common') do 35 | it { should_not be_installed } 36 | end 37 | # STOP_DESCRIBE RHEL-07-040560 38 | 39 | end 40 | 41 | -------------------------------------------------------------------------------- /controls/RHEL-07-040580.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040580 - SNMP community strings must be changed from the default.' 8 | control 'RHEL-07-040580' do 9 | impact 1.0 10 | title 'SNMP community strings must be changed from the default.' 11 | desc 'Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.' 12 | tag 'stig', 'RHEL-07-040580' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-040580_chk' 15 | tag fixid: 'F-RHEL-07-040580_fix' 16 | tag version: 'RHEL-07-040580' 17 | tag ruleid: 'RHEL-07-040580_rule' 18 | tag fixtext: 'If the “/etc/snmp/snmpd.conf” file exists, modify any lines that contain a community string of public or private to another string.' 19 | tag checktext: 'Verify that a system using SNMP is not using default community strings. 20 | 21 | Check to see if the “/etc/snmp/snmpd.conf” file exists with the following command: 22 | 23 | # ls -al /etc/snmp/snmpd.conf 24 | -rw------- 1 root root 52640 Mar 12 11:08 snmpd.conf 25 | 26 | If the file does not exist, this is Not Applicable. 27 | 28 | If the file does exist, check for the default community strings with the following commands: 29 | 30 | # grep public /etc/snmp/snmpd.conf 31 | # grep private /etc/snmp/snmpd.conf 32 | 33 | If either of these command returns any output, this is a finding.' 34 | 35 | # START_DESCRIBE RHEL-07-040580 36 | snmpd_conf_exits = file('/etc/snmp/snmpd.conf').file? 37 | if snmpd_conf_exits 38 | describe file('/etc/snmp/snmpd.conf') do 39 | its('content') { should_not match /.*(public|private).*/ } 40 | end 41 | end 42 | # STOP_DESCRIBE RHEL-07-040580 43 | 44 | end 45 | 46 | -------------------------------------------------------------------------------- /controls/RHEL-07-040590.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040590 - The SSH daemon must be configured to only use the SSHv2 protocol.' 8 | control 'RHEL-07-040590' do 9 | impact 1.0 10 | title 'The SSH daemon must be configured to only use the SSHv2 protocol.' 11 | desc 'SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227' 12 | tag 'stig', 'RHEL-07-040590' 13 | tag severity: 'high' 14 | tag checkid: 'C-RHEL-07-040590_chk' 15 | tag fixid: 'F-RHEL-07-040590_fix' 16 | tag version: 'RHEL-07-040590' 17 | tag ruleid: 'RHEL-07-040590_rule' 18 | tag fixtext: 'Remove all Protocol lines that reference version 1 in /etc/ssh/sshd_config (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows: 19 | 20 | Protocol 2' 21 | tag checktext: 'Verify the SSH daemon is configured to only use the SSHv2 protocol. 22 | 23 | Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command: 24 | 25 | # grep -i protocol /etc/ssh/sshd_config 26 | Protocol 2 27 | #Protocol 1,2 28 | 29 | If any protocol line other than "Protocol 2" is uncommented, this is a finding.' 30 | 31 | # START_DESCRIBE RHEL-07-040590 32 | describe sshd_config do 33 | its('Protocol') { should eq '2' } 34 | end 35 | # STOP_DESCRIBE RHEL-07-040590 36 | 37 | end 38 | 39 | -------------------------------------------------------------------------------- /controls/RHEL-07-040620.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040620 - The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.' 8 | control 'RHEL-07-040620' do 9 | impact 0.5 10 | title 'The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.' 11 | desc 'DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.' 12 | tag 'stig', 'RHEL-07-040620' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040620_chk' 15 | tag fixid: 'F-RHEL-07-040620_fix' 16 | tag version: 'RHEL-07-040620' 17 | tag ruleid: 'RHEL-07-040620_rule' 18 | tag fixtext: 'Edit the /etc/ssh/sshd_config file to uncomment or add the line for the MACs keyword and set its value to “hmac-sha2-256” and/or “hmac-sha2-512 “(this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): 19 | 20 | MACs hmac-sha2-256,hmac-sha2-512' 21 | tag checktext: 'Verify the SSH daemon is configured to only use MACs employing FIPS 140-2 approved ciphers. 22 | 23 | Note: If RHEL-07-021280 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2 approved cryptographic algorithms and hashes. 24 | 25 | Check that the SSH daemon is configured to only use MACs employing FIPS 140-2 approved ciphers with the following command: 26 | 27 | # grep -i macs /etc/ssh/sshd_config 28 | MACs hmac-sha2-256,hmac-sha2-512 29 | 30 | If any ciphers other than “hmac-sha2-256” or “hmac-sha2-512” are listed or the retuned line is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-040620 33 | describe sshd_config do 34 | its('MACs') { should eq 'hmac-sha2-256,hmac-sha2-512' } 35 | end 36 | # STOP_DESCRIBE RHEL-07-040620 37 | 38 | end 39 | -------------------------------------------------------------------------------- /controls/RHEL-07-040640.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040640 - The SSH public host key files must have mode 0644 or less permissive.' 8 | control 'RHEL-07-040640' do 9 | impact 0.5 10 | title 'The SSH public host key files must have mode 0644 or less permissive.' 11 | desc 'If a public host key file is modified by an unauthorized user, the SSH service may be compromised.' 12 | tag 'stig', 'RHEL-07-040640' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040640_chk' 15 | tag fixid: 'F-RHEL-07-040640_fix' 16 | tag version: 'RHEL-07-040640' 17 | tag ruleid: 'RHEL-07-040640_rule' 18 | tag fixtext: 'Note: SSH public key files may be found in other directories on the system depending on the installation. 19 | 20 | The following command will find all SSH public key files on the system: 21 | 22 | # find / -name ‘*key.pub’ 23 | 24 | Change the mode of public host key files under “/etc/ssh” to “0644” with the following command: 25 | 26 | # chmod 0644 /etc/ssh/*.key.pub' 27 | tag checktext: 'Verify the SSH public host key files have mode “0644” or less permissive. 28 | 29 | Note: SSH public key files may be found in other directories on the system depending on the installation. 30 | 31 | The following command will find all SSH public key files on the system: 32 | 33 | # find / -name \'*.pub\' 34 | 35 | Check the mode of the public host key files under /etc/ssh file with the following command: 36 | 37 | # ls -lL /etc/ssh/*.pub 38 | -rw-r--r-- 1 root wheel 618 Nov 28 06:43 ssh_host_dsa_key.pub 39 | -rw-r--r-- 1 root wheel 347 Nov 28 06:43 ssh_host_key.pub 40 | -rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub 41 | 42 | If any file has a mode more permissive than “0644”, this is a finding.' 43 | 44 | # START_DESCRIBE RHEL-07-040640 45 | describe command('find / -type f -perm /u=x,g=w+x,o=w+x -name "*.pub" 2> /dev/null') do 46 | its('stdout') { should eq '' } 47 | end 48 | # STOP_DESCRIBE RHEL-07-040640 49 | 50 | end 51 | 52 | -------------------------------------------------------------------------------- /controls/RHEL-07-040650.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040650 - The SSH private host key files must have mode 0600 or less permissive.' 8 | control 'RHEL-07-040650' do 9 | impact 0.5 10 | title 'The SSH private host key files must have mode 0600 or less permissive.' 11 | desc 'If an unauthorized user obtains the private SSH host key file, the host could be impersonated.' 12 | tag 'stig', 'RHEL-07-040650' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040650_chk' 15 | tag fixid: 'F-RHEL-07-040650_fix' 16 | tag version: 'RHEL-07-040650' 17 | tag ruleid: 'RHEL-07-040650_rule' 18 | tag fixtext: 'Configure the mode of SSH private host key files under “/etc/ssh” to “0600” with the following command: 19 | 20 | # chmod 0600 /etc/ssh/ssh_host*key' 21 | tag checktext: 'Verify the SSH private host key files have mode “0600” or less permissive. 22 | 23 | The following command will find all SSH private key files on the system: 24 | 25 | # find / -name \'*ssh_host*key\' 26 | 27 | Check the mode of the private host key files under /etc/ssh file with the following command: 28 | 29 | # ls -lL /etc/ssh/*key 30 | -rw------- 1 root wheel 668 Nov 28 06:43 ssh_host_dsa_key 31 | -rw------- 1 root wheel 582 Nov 28 06:43 ssh_host_key 32 | -rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key 33 | 34 | If any file has a mode more permissive than “0600”, this is a finding.' 35 | 36 | # START_DESCRIBE RHEL-07-040650 37 | describe command('find / -name "*ssh_host*key" -perm /u=x,g=r+w+x,o=w+r+x 2> /dev/null') do 38 | its('stdout') { should eq '' } 39 | end 40 | # STOP_DESCRIBE RHEL-07-040650 41 | 42 | end 43 | 44 | -------------------------------------------------------------------------------- /controls/RHEL-07-040660.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040660 - The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.' 8 | control 'RHEL-07-040660' do 9 | impact 0.5 10 | title 'The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.' 11 | desc 'GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system’s GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.' 12 | tag 'stig', 'RHEL-07-040660' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040660_chk' 15 | tag fixid: 'F-RHEL-07-040660_fix' 16 | tag version: 'RHEL-07-040660' 17 | tag ruleid: 'RHEL-07-040660_rule' 18 | tag fixtext: 'Uncomment the “GSSAPIAuthentication” keyword in /etc/ssh/sshd_config (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": 19 | 20 | GSSAPIAuthentication no 21 | 22 | If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.' 23 | tag checktext: 'Verify the SSH daemon does not permit GSSAPI authentication unless approved. 24 | 25 | Check that the SSH daemon does not permit GSSAPI authentication with the following command: 26 | 27 | # grep -i gssapiauth /etc/ssh/sshd_config 28 | GSSAPIAuthentication no 29 | 30 | If the “GSSAPIAuthentication” keyword is missing, is set to “yes” and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-040660 33 | describe sshd_config do 34 | its('GSSAPIAuthentication') { should eq 'no' } 35 | end 36 | # STOP_DESCRIBE RHEL-07-040660 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-040670.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040670 - The SSH daemon must not permit Kerberos authentication unless needed.' 8 | control 'RHEL-07-040670' do 9 | impact 0.5 10 | title 'The SSH daemon must not permit Kerberos authentication unless needed.' 11 | desc 'Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system\'s Kerberos implementation. Vulnerabilities in the system\'s Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.' 12 | tag 'stig', 'RHEL-07-040670' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040670_chk' 15 | tag fixid: 'F-RHEL-07-040670_fix' 16 | tag version: 'RHEL-07-040670' 17 | tag ruleid: 'RHEL-07-040670_rule' 18 | tag fixtext: 'Uncomment the “KerberosAuthentication” keyword in /etc/ssh/sshd_config (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": 19 | 20 | KerberosAuthentication no 21 | 22 | If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.' 23 | tag checktext: 'Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved. 24 | 25 | Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command: 26 | 27 | # grep -i kerberosauth /etc/ssh/sshd_config 28 | KerberosAuthentication no 29 | 30 | If the “KerberosAuthentication” keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-040670 33 | describe sshd_config do 34 | its('KerberosAuthentication') { should eq 'no' } 35 | end 36 | # STOP_DESCRIBE RHEL-07-040670 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /controls/RHEL-07-040680.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040680 - The SSH daemon must perform strict mode checking of home directory configuration files.' 8 | control 'RHEL-07-040680' do 9 | impact 0.5 10 | title 'The SSH daemon must perform strict mode checking of home directory configuration files.' 11 | desc 'If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.' 12 | tag 'stig', 'RHEL-07-040680' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040680_chk' 15 | tag fixid: 'F-RHEL-07-040680_fix' 16 | tag version: 'RHEL-07-040680' 17 | tag ruleid: 'RHEL-07-040680_rule' 18 | tag fixtext: 'Uncomment the “StrictModes” keyword in /etc/ssh/sshd_config (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes": 19 | 20 | StrictModes yes' 21 | tag checktext: 'Verify the SSH daemon performs strict mode checking of home directory configuration files. 22 | 23 | The location of the sshd_config file may vary on the system and can be found using the following command: 24 | 25 | # find / -name \'sshd*_config\' 26 | 27 | If there is more than one ssh server daemon configuration file on the system, determine which daemons are active on the system with the following command: 28 | 29 | # ps -ef | grep sshd 30 | 31 | The command will return the full path of the ssh daemon. This will indicate which sshd_config file will be checked with the following command: 32 | 33 | # grep -i strictmodes /etc/ssh/sshd_config 34 | StrictModes yes 35 | 36 | If “StrictModes” is set to "no", is missing, or the retuned line is commented out, this is a finding.' 37 | 38 | # START_DESCRIBE RHEL-07-040680 39 | describe sshd_config do 40 | its('StrictModes') { should eq 'yes' } 41 | end 42 | # STOP_DESCRIBE RHEL-07-040680 43 | 44 | end 45 | 46 | -------------------------------------------------------------------------------- /controls/RHEL-07-040690.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040690 - The SSH daemon must use privilege separation.' 8 | control 'RHEL-07-040690' do 9 | impact 0.5 10 | title 'The SSH daemon must use privilege separation.' 11 | desc 'SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.' 12 | tag 'stig', 'RHEL-07-040690' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040690_chk' 15 | tag fixid: 'F-RHEL-07-040690_fix' 16 | tag version: 'RHEL-07-040690' 17 | tag ruleid: 'RHEL-07-040690_rule' 18 | tag fixtext: 'Uncomment the “UsePrivilegeSeparation” keyword in /etc/ssh/sshd_config (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes": 19 | 20 | UsePrivilegeSeparation yes' 21 | tag checktext: 'Verify the SSH daemon performs privilege separation. 22 | 23 | Check that the SSH daemon performs privilege separation with the following command: 24 | 25 | # grep -i usepriv /etc/ssh/sshd_config 26 | UsePrivilegeSeparation yes 27 | 28 | If the “UsePrivilegeSeparation” keyword is set to "no", is missing, or the retuned line is commented out, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-040690 31 | describe sshd_config do 32 | its('UsePrivilegeSeparation') { should eq 'yes' } 33 | end 34 | # STOP_DESCRIBE RHEL-07-040690 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-040700.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040700 - The SSH daemon must not allow compression or must only allow compression after successful authentication.' 8 | control 'RHEL-07-040700' do 9 | impact 0.5 10 | title 'The SSH daemon must not allow compression or must only allow compression after successful authentication.' 11 | desc 'If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.' 12 | tag 'stig', 'RHEL-07-040700' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040700_chk' 15 | tag fixid: 'F-RHEL-07-040700_fix' 16 | tag version: 'RHEL-07-040700' 17 | tag ruleid: 'RHEL-07-040700_rule' 18 | tag fixtext: 'Uncomment the “Compression” keyword in /etc/ssh/sshd_config (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no": 19 | 20 | Compression no' 21 | tag checktext: 'Verify the SSH daemon performs compression after a user successfully authenticates. 22 | 23 | Check that the SSH daemon performs compression after a user successfully authenticates with the following command: 24 | 25 | # grep -i compression /etc/ssh/sshd_config 26 | Compression delayed 27 | 28 | If the “Compression” keyword is set to “yes”, is missing, or the retuned line is commented out, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-040700 31 | describe sshd_config do 32 | its('Compression') { should match /^(delayed|no)$/ } 33 | end 34 | # STOP_DESCRIBE RHEL-07-040700 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-040730.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040730 - The system must not be performing packet forwarding unless the system is a router.' 8 | control 'RHEL-07-040730' do 9 | impact 0.5 10 | title 'The system must not be performing packet forwarding unless the system is a router.' 11 | desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.' 12 | tag 'stig', 'RHEL-07-040730' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040730_chk' 15 | tag fixid: 'F-RHEL-07-040730_fix' 16 | tag version: 'RHEL-07-040730' 17 | tag ruleid: 'RHEL-07-040730_rule' 18 | tag fixtext: 'Set the system to the required kernel parameter by adding the following line to /etc/sysctl.conf (or modify the line to have the required value): 19 | 20 | net.ipv4.ip_forward = 0' 21 | tag checktext: 'Verify the system is not performing packet forwarding, unless the system is a router. 22 | 23 | Check to see if IP forwarding is enabled using the following command: 24 | 25 | # /sbin/sysctl -a | grep net.ipv4.ip_forward 26 | net.ipv4.ip_forward=0 27 | 28 | If IP forwarding value is “1” and the system is hosting any application, database, or web servers, this is a finding.' 29 | 30 | # START_DESCRIBE RHEL-07-040730 31 | describe kernel_parameter('net.ipv4.ip_forward') do 32 | its('value') { should eq 0 } 33 | end 34 | # STOP_DESCRIBE RHEL-07-040730 35 | 36 | end 37 | 38 | -------------------------------------------------------------------------------- /controls/RHEL-07-040810.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040810 - The system must use a local firewall.' 8 | control 'RHEL-07-040810' do 9 | impact 0.5 10 | title 'The system must use a local firewall.' 11 | desc 'A firewall provides the ability to enhance system security posture by restricting services to known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.' 12 | tag 'stig', 'RHEL-07-040810' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040810_chk' 15 | tag fixid: 'F-RHEL-07-040810_fix' 16 | tag version: 'RHEL-07-040810' 17 | tag ruleid: 'RHEL-07-040810_rule' 18 | tag fixtext: 'Install “firewalld” on the system if it is not already installed with the following command: 19 | 20 | # yum install firewalld firewall-config 21 | 22 | Enable firewalld with the following command: 23 | 24 | #systemctl enable firewalld' 25 | tag checktext: 'Verify that a firewall is in use on the system. 26 | 27 | Check to see if “firewalld” is installed with the following command: 28 | 29 | # yum list installed | grep firewalld 30 | 31 | If “firewalld” is not installed, ask the System Administrator if they are performing another method of access control (such as iptables) for all network services on the system. 32 | 33 | If there is no access control being performed on all network services, this is a finding. 34 | 35 | If “firewalld” is installed, determine whether it is active with the following command: 36 | 37 | # systemctl status firewalld 38 | firewalld.service - firewalld - dynamic firewall daemon 39 | Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) 40 | Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago 41 | 42 | If “firewalld” is not active, this is a finding.' 43 | 44 | # START_DESCRIBE RHEL-07-040810 45 | describe service('firewalld') do 46 | it { should be_running } 47 | it { should be_enabled } 48 | end 49 | # STOP_DESCRIBE RHEL-07-040810 50 | 51 | end 52 | 53 | -------------------------------------------------------------------------------- /controls/RHEL-07-040860.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # copyright: 2016, you 3 | # license: All rights reserved 4 | # date: 2016-01-14 5 | # description: This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. 6 | # impacts 7 | title 'RHEL-07-040860 - The system must not forward IPv6 source-routed packets.' 8 | control 'RHEL-07-040860' do 9 | impact 0.5 10 | title 'The system must not forward IPv6 source-routed packets.' 11 | desc 'Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.' 12 | tag 'stig', 'RHEL-07-040860' 13 | tag severity: 'medium' 14 | tag checkid: 'C-RHEL-07-040860_chk' 15 | tag fixid: 'F-RHEL-07-040860_fix' 16 | tag version: 'RHEL-07-040860' 17 | tag ruleid: 'RHEL-07-040860_rule' 18 | tag fixtext: 'Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to /etc/sysctl.conf (or modify the line to have the required value): 19 | 20 | net.ipv6.conf.all.accept_source_route = 0' 21 | tag checktext: 'Verify the system does not accept IPv6 source-routed packets. 22 | 23 | Note: If IPv6 is not enabled, the key will not exist, and this is not a finding. 24 | 25 | Check the value of the accept source route variable with the following command: 26 | 27 | # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route 28 | net.ipv6.conf.all.accept_source_route=0 29 | 30 | If the returned lines do not have a value of “0”, a line is not returned, or the retuned line is commented out, this is a finding.' 31 | 32 | # START_DESCRIBE RHEL-07-040860 33 | describe kernel_parameter('net.ipv6.conf.all.accept_source_route') do 34 | its('value') { should eq 0 } 35 | end 36 | # STOP_DESCRIBE RHEL-07-040860 37 | 38 | end 39 | 40 | -------------------------------------------------------------------------------- /inspec.yml: -------------------------------------------------------------------------------- 1 | name: STIG_RHEL7 2 | title: STIG for Redhat Enterprise Linux 7 3 | supports: 4 | - os-family: redhat 5 | maintainer: Paul Czarkowski 6 | copyright: Paul Czarkowski 7 | copyright_email: username.taken@gmail.com 8 | license: Apache 2 9 | summary: | 10 | An InSpec Compliance for Redhat Enterprise Linux 7 11 | part of the [inspec-stig](https://github.com/inspec-stigs) family. 12 | version: 0.1.0 13 | -------------------------------------------------------------------------------- /libraries/iptables6.rb: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | # author: Christoph Hartmann 3 | # author: Dominik Richter 4 | 5 | # Usage: 6 | # describe ip6tables do 7 | # it { should have_rule('-P INPUT ACCEPT') } 8 | # end 9 | # 10 | # The following serverspec sytax is not implemented: 11 | # describe ip6tables do 12 | # it { should have_rule('-P INPUT ACCEPT').with_table('mangle').with_chain('INPUT') } 13 | # end 14 | # Please use the new sytax: 15 | # describe ip6tables(table:'mangle', chain: 'input') do 16 | # it { should have_rule('-P INPUT ACCEPT') } 17 | # end 18 | # 19 | # Note: Docker containers normally do not have iptables installed 20 | # 21 | # @see http://ipset.netfilter.org/iptables.man.html 22 | # @see http://ipset.netfilter.org/iptables.man.html 23 | # @see https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html 24 | class Ip6Tables < Inspec.resource(1) 25 | name 'ip6tables' 26 | desc 'Use the ip6tables InSpec audit resource to test rules that are defined in ip6tables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.' 27 | example " 28 | describe ip6tables do 29 | it { should have_rule('-P INPUT ACCEPT') } 30 | end 31 | " 32 | 33 | def initialize(params = {}) 34 | @table = params[:table] 35 | @chain = params[:chain] 36 | 37 | # we're done if we are on linux 38 | return if inspec.os.linux? 39 | 40 | # ensures, all calls are aborted for non-supported os 41 | @iptables_cache = [] 42 | skip_resource 'The `ip6tables` resource is not supported on your OS yet.' 43 | end 44 | 45 | def has_rule?(rule = nil, _table = nil, _chain = nil) 46 | # checks if the rule is part of the ruleset 47 | # for now, we expect an exact match 48 | retrieve_rules.any? { |line| line.casecmp(rule) == 0 } 49 | end 50 | 51 | def retrieve_rules 52 | return @iptables_cache if defined?(@iptables_cache) 53 | 54 | # construct iptables command to read all rules 55 | table_cmd = "-t #{@table}" if @table 56 | iptables_cmd = format('ip6tables %s -S %s', table_cmd, @chain).strip 57 | 58 | cmd = inspec.command(iptables_cmd) 59 | return [] if cmd.exit_status.to_i != 0 60 | 61 | # split rules, returns array or rules 62 | @iptables_cache = cmd.stdout.split("\n").map(&:strip) 63 | end 64 | 65 | def to_s 66 | format('Ip6tables %s %s', @table && "table: #{@table}", @chain && "chain: #{@chain}").strip 67 | end 68 | end 69 | --------------------------------------------------------------------------------