draft Guide to the Secure Configuration of Red Hat Enterprise Linux 8 This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide. Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. This benchmark is a direct port of a SCAP Security Guide benchmark developed for Red Hat Enterprise Linux. It has been modified through an automated process to remove specific dependencies on Red Hat Enterprise Linux and to function with CentOS. The result is a generally useful SCAP Security Guide benchmark with the following caveats: CentOS is not an exact copy of Red Hat Enterprise Linux. There may be configuration differences that produce false positives and/or false negatives. If this occurs please file a bug report. CentOS has its own build system, compiler options, patchsets, and is a community supported, non-commercial operating system. CentOS does not inherit certifications or evaluations from Red Hat Enterprise Linux. As such, some configuration rules (such as those requiring FIPS 140-2 encryption) will continue to fail on CentOS. Members of the CentOS community are invited to participate in OpenSCAP and SCAP Security Guide development. Bug reports and patches can be sent to GitHub: https://github.com/OpenSCAP/scap-security-guide. The mailing list is at https://fedorahosted.org/mailman/listinfo/scap-security-guide. Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. The SCAP Security Guide Project https://www.open-scap.org/security-policies/scap-security-guide Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. 0.1.57 SCAP Security Guide Project SCAP Security Guide Project Frank J Cameron (CAM1244) <cameron@ctc.com> 0x66656c6978 <0x66656c6978@users.noreply.github.com> Jack Adolph <jack.adolph@gmail.com> Gabe Alford <redhatrises@gmail.com> Firas AlShafei <firas.alshafei@us.abb.com> Rodrigo Alvares <ralvares@redhat.com> Christopher Anderson <cba@fedoraproject.org> angystardust <angystardust@users.noreply.github.com> anivan-suse <anastasija.ivanovic@suse.com> anixon-rh <55244503+anixon-rh@users.noreply.github.com> Chuck Atkins <chuck.atkins@kitware.com> Ryan Ballanger <root@rballang-admin-2.fastenal.com> Alex Baranowski <alex@euro-linux.com> Eduardo Barretto <eduardo.barretto@canonical.com> Molly Jo Bault <Molly.Jo.Bault@ballardtech.com> Gabriel Becker <ggasparb@redhat.com> Alexander Bergmann <abergmann@suse.com> Dale Bewley <dale@bewley.net> Jose Luis BG <bgjoseluis@gmail.com> Joseph Bisch <joseph.bisch@gmail.com> Jeffrey Blank <blank@eclipse.ncsc.mil> Olivier Bonhomme <ptitoliv@ptitoliv.net> Lance Bragstad <lbragstad@gmail.com> Ted Brunell <tbrunell@redhat.com> Matthew Burket <mburket@redhat.com> Blake Burkhart <blake.burkhart@us.af.mil> Patrick Callahan <pmc@patrickcallahan.com> George Campbell <gcampbell@palantir.com> Nick Carboni <ncarboni@redhat.com> James Cassell <james.cassell@ll.mit.edu> Frank Caviggia <fcaviggi@ra.iad.redhat.com> Eric Christensen <echriste@redhat.com> Jayson Cofell <1051437+70k10@users.noreply.github.com> Caleb Cooper <coopercd@ornl.gov> Richard Maciel Costa <richard.maciel.costa@canonical.com> Deric Crago <deric.crago@gmail.com> Will Cushen <wcushen@redhat.com> cyarbrough76 <42849651+cyarbrough76@users.noreply.github.com> Maura Dailey <maura@eclipse.ncsc.mil> Klaas Demter <demter@atix.de> dhanushkar-wso2 <dhanushkar@wso2.com> Andrew DiPrinzio <andrew.diprinzio@jhuapl.edu> dom <dominique.blaze@devinci.fr> Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr> drax <applezip@gmail.com> Sebastian Dunne <sdunne@redhat.com> François Duthilleul <francoisduthilleul@gmail.com> Greg Elin <gregelin@gitmachines.com> eradot4027 <jrtonmac@gmail.com> Alexis Facques <alexis.facques@mythalesgroup.io> Leah Fisher <lfisher047@gmail.com> Alijohn Ghassemlouei <alijohn@secureagc.com> ghylock <ghylock@gmail.com> Andrew Gilmore <agilmore2@gmail.com> Joshua Glemza <jglemza@nasa.gov> Nick Gompper <forestgomp@yahoo.com> Loren Gordon <lorengordon@users.noreply.github.com> Patrik Greco <sikevux@sikevux.se> Steve Grubb <sgrubb@redhat.com> Marek Haicman <mhaicman@redhat.com> Alex Haydock <alex@alexhaydock.co.uk> Rebekah Hayes <rhayes@corp.rivierautilities.com> Trey Henefield <thenefield@gmail.com> Henning Henkel <henning.henkel@helvetia.ch> hex2a <hex2a@users.noreply.github.com> John Hooks <jhooks@starscream.pa.jhbcomputers.com> Jakub Hrozek <jhrozek@redhat.com> De Huo <De.Huo@windriver.com> Robin Price II <robin@redhat.com> Yasir Imam <yimam@redhat.com> Jiri Jaburek <jjaburek@redhat.com> Keith Jackson <keithkjackson@gmail.com> Jeremiah Jahn <jeremiah@goodinassociates.com> Jakub Jelen <jjelen@redhat.com> Jessicahfy <Jessicahfy@users.noreply.github.com> Stephan Joerrens <Stephan.Joerrens@fiduciagad.de> Jono <jono@ubuntu-18.localdomain> Kai Kang <kai.kang@windriver.com> Charles Kernstock <charles.kernstock@ultra-ats.com> Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> Nathan Kinder <nkinder@redhat.com> Lee Kinser <lee.kinser@gmail.com> Evgeny Kolesnikov <ekolesni@redhat.com> Peter 'Pessoft' Kolínek <github@pessoft.com> Luke Kordell <luke.t.kordell@lmco.com> Malte Kraus <malte.kraus@suse.com> Seth Kress <seth.kress@dsainc.com> kspargur <kspargur@kspargur.csb> Amit Kumar <amitkuma@redhat.com> Fen Labalme <fen@civicactions.com> Ade Lee <alee@redhat.com> Christopher Lee <Crleekwc@gmail.com> Ian Lee <lee1001@llnl.gov> Jarrett Lee <jarrettl@umd.edu> Joseph Lenox <lordofhyphens@gmail.com> Jan Lieskovsky <jlieskov@redhat.com> Šimon Lukašík <slukasik@redhat.com> Milan Lysonek <mlysonek@redhat.com> Fredrik Lysén <fredrik@pipemore.se> Caitlin Macleod <caitelatte@gmail.com> Nick Maludy <nmaludy@gmail.com> Lokesh Mandvekar <lsm5@fedoraproject.org> Matus Marhefka <mmarhefk@redhat.com> Jamie Lorwey Martin <jlmartin@redhat.com> Carlos Matos <cmatos@redhat.com> Robert McAllister <rmcallis@redhat.com> Michael McConachie <michael@redhat.com> Marcus Meissner <meissner@suse.de> Khary Mendez <kmendez@redhat.com> Rodney Mercer <rmercer@harris.com> Matt Micene <nzwulfin@gmail.com> Brian Millett <bmillett@gmail.com> Takuya Mishina <tmishina@jp.ibm.com> Mixer9 <35545791+Mixer9@users.noreply.github.com> mmosel <mmosel@kde.example.com> Zbynek Moravec <zmoravec@redhat.com> Kazuo Moriwaka <moriwaka@users.noreply.github.com> Michael Moseley <michael@eclipse.ncsc.mil> Renaud Métrich <rmetrich@redhat.com> Joe Nall <joe@nall.com> Neiloy <neiloy@redhat.com> Axel Nennker <axel@nennker.de> Michele Newman <mnewman@redhat.com> Sean O'Keeffe <seanokeeffe797@gmail.com> Ilya Okomin <ilya.okomin@oracle.com> Kaustubh Padegaonkar <theTuxRacer@gmail.com> Michael Palmiotto <mpalmiotto@tresys.com> Eryx Paredes <eryxp@lyft.com> Max R.D. Parmer <maxp@trystero.is> Jan Pazdziora <jpazdziora@redhat.com> pcactr <paul.c.arnold4.ctr@mail.mil> Kenneth Peeples <kennethwpeeples@gmail.com> Nathan Peters <Nathaniel.Peters@ca.com> Frank Lin PIAT <fpiat@klabs.be> Stefan Pietsch <mail.ipv4v6+gh@gmail.com> piggyvenus <piggyvenus@gmail.com> Vojtech Polasek <vpolasek@redhat.com> Orion Poplawski <orion@nwra.com> Nick Poyant <npoyant@redhat.com> Martin Preisler <mpreisle@redhat.com> Wesley Ceraso Prudencio <wcerasop@redhat.com> Raphael Sanchez Prudencio <rsprudencio@redhat.com> T.O. Radzy Radzykewycz <radzy@windriver.com> Kenyon Ralph <kenyon@kenyonralph.com> Mike Ralph <mralph@redhat.com> Federico Ramirez <federico.r.ramirez@oracle.com> rchikov <rumen.chikov@suse.com> Rick Renshaw <Richard_Renshaw@xtoenergy.com> Chris Reynolds <c.reynolds82@gmail.com> rhayes <rhayes@rivierautilities.com> Pat Riehecky <riehecky@fnal.gov> rlucente-se-jboss <rlucente@redhat.com> Juan Antonio Osorio Robles <jaosorior@redhat.com> Matt Rogers <mrogers@redhat.com> Jesse Roland <jesse.roland@onyxpoint.com> Joshua Roys <roysjosh@gmail.com> rrenshaw <bofh69@yahoo.com> Chris Ruffalo <chris.ruffalo@gmail.com> Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil> Earl Sampson <ESampson@suse.com> Willy Santos <wsantos@redhat.com> Gautam Satish <gautams@hpe.com> Watson Sato <wsato@redhat.com> Satoru SATOH <satoru.satoh@gmail.com> Alexander Scheel <ascheel@redhat.com> Bryan Schneiders <pschneiders@trisept.com> shaneboulden <shane.boulden@gmail.com> Spencer Shimko <sshimko@tresys.com> Mark Shoger <mshoger@redhat.com> Thomas Sjögren <konstruktoid@users.noreply.github.com> Francisco Slavin <fslavin@tresys.com> David Smith <dsmith@eclipse.ncsc.mil> Kevin Spargur <kspargur@redhat.com> Kenneth Stailey <kstailey.lists@gmail.com> Leland Steinke <leland.j.steinke.ctr@mail.mil> Justin Stephenson <jstephen@redhat.com> Brian Stinson <brian@bstinson.com> Jake Stookey <jakestookey@gmail.com> Jonathan Sturges <jsturges@redhat.com> teacup-on-rockingchair <strandjata@gmail.com> Ian Tewksbury <itewk@redhat.com> Philippe Thierry <phil@reseau-libre.net> Derek Thurston <thegrit@gmail.com> tianzhenjia <jiatianzhen@cmss.chinamobile.com> Greg Tinsley <gtinsley@redhat.com> Paul Tittle <ptittle@cmf.nrl.navy.mil> tomas.hudik <tomas.hudik@embedit.cz> Jeb Trayer <jeb.d.trayer@uscg.mil> Viktors Trubovics <viktors.trubovics@suse.com> Nico Truzzolino <nico.truzzolino@gmx.de> Brian Turek <brian.turek@gmail.com> Matěj Týč <matyc@redhat.com> Trevor Vaughan <tvaughan@onyxpoint.com> Samuel Warren <swarren@redhat.com> Shawn Wells <shawn@shawndwells.io> Daniel E. White <linuxdan@users.noreply.github.com> Bernhard M. Wiedemann <bwiedemann@suse.de> Roy Williams <roywilli@roywilli.redhat.com> Willumpie <willumpie@xs4all.nl> Rob Wilmoth <rwilmoth@redhat.com> Lucas Yamanishi <lucas.yamanishi@onyxpoint.com> Xirui Yang <xirui.yang@oracle.com> yarunachalam <yarunachalam@suse.com> Guang Yee <guang.yee@suse.com> Kevin Zimmerman <kevin.zimmerman@kitware.com> Jan Černý <jcerny@redhat.com> Michal Šrubař <msrubar@redhat.com> https://github.com/OpenSCAP/scap-security-guide/releases/latest PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Ensures PCI-DSS v3.2.1 security configuration settings are applied. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf Remediation functions used by the SCAP Security Guide Project XCCDF form of the various remediation functions as used by remediation scripts from the SCAP Security Guide Project. System Settings Contains rules that check correct system settings. Installing and Maintaining Software The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. Prefer to use a 64-bit Operating System when supported Prefer installation of 64-bit operating systems when the CPU supports it. There is no remediation besides installing a 64-bit operating system. BP28(R10) Use of a 64-bit operating system offers a few advantages, like a larger address space range for Address Space Layout Randomization (ASLR) and systematic presence of No eXecute and Execute Disable (NX/XD) protection bits. System and Software Integrity System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevention System, etc. However, installing or enabling integrity checking tools cannot prevent intrusions, but they can detect that an intrusion may have occurred. Requirements for integrity checking may be highly dependent on the environment in which the system will be used. Snapshot-based approaches such as AIDE may induce considerable overhead in the presence of frequent software updates. Software Integrity Checking Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of file metadata (such as hashes) and compares these to current system files in order to detect changes. The RPM package management system can conduct integrity checks by comparing information in its metadata database with files installed on the system. Integrity Scan Notification Email Address Specify the email address for designated personnel if baseline configurations are changed in an unauthorized manner. root@localhost Verify Integrity with RPM The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To list which files on the system differ from what is expected by the RPM database: $ rpm -qVa See the man page for rpm to see a complete explanation of each column. Verify File Hashes with RPM Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands matches vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: $ rpm -Va --noconfig | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: $ rpm -qf FILENAME The package can be reinstalled from a yum repository using the command: $ sudo yum reinstall PACKAGENAME Alternatively, the package can be reinstalled from trusted media using the command: $ sudo rpm -Uvh PACKAGENAME 6.1.1 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.3.8 3.4.1 CCI-000366 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(d) CM-6(c) SI-7 SI-7(1) SI-7(6) AU-9(3) PR.DS-6 PR.DS-8 PR.IP-1 Req-11.5 SRG-OS-000480-GPOS-00227 The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. # Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )" # From files names get package names and change newline to space, because rpm writes each package to new line packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')" yum reinstall -y $packages_to_reinstall - name: 'Set fact: Package manager reinstall command (dnf)' set_fact: package_manager_reinstall_cmd: dnf reinstall -y when: ansible_distribution == "Fedora" tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_hashes - name: 'Set fact: Package manager reinstall command (yum)' set_fact: package_manager_reinstall_cmd: yum reinstall -y when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_hashes - name: Read files with incorrect hash command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noghost --noconfig args: warn: false register: files_with_incorrect_hash changed_when: false failed_when: files_with_incorrect_hash.rc > 1 check_mode: false when: (package_manager_reinstall_cmd is defined) tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_hashes - name: Create list of packages command: rpm -qf "{{ item }}" args: warn: false with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'', ''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'') | list | unique }}' register: list_of_packages changed_when: false check_mode: false when: - files_with_incorrect_hash.stdout_lines is defined - (files_with_incorrect_hash.stdout_lines | length > 0) tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_hashes - name: Reinstall packages of files with incorrect hash command: '{{ package_manager_reinstall_cmd }} ''{{ item }}''' args: warn: false with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' when: - files_with_incorrect_hash.stdout_lines is defined - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0)) tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_hashes Verify and Correct Ownership with RPM The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }' run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setugids PACKAGENAME Profiles may require that specific files be owned by root while the default owner defined by the vendor is different. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. 1.8.1.4 1.8.1.5 1.8.1.6 6.1.1 6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 1 11 12 13 14 15 16 18 3 5 6 9 5.10.4.1 APO01.06 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.8 3.4.1 CCI-001494 CCI-001496 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 CIP-003-3 R4.2 CIP-003-3 R6 CIP-007-3 R4 CIP-007-3 R4.1 CIP-007-3 R4.2 CM-6(d) CM-6(c) SI-7 SI-7(1) SI-7(6) AU-9(3) PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-1 Req-11.5 SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098 SRG-OS-000278-GPOS-00108 Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. # Declare array to hold set of RPM packages we need to correct permissions for declare -A SETPERMS_RPM_DICT # Create a list of files on the system having permissions different from what # is expected by the RPM database readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }') for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" do RPM_PACKAGE=$(rpm -qf "$FILE_PATH") # Use an associative array to store packages as it's keys, not having to care about duplicates. SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 done # For each of the RPM packages left in the list -- reset its permissions to the # correct values for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" do rpm --setugids "${RPM_PACKAGE}" done - name: Read list of files with incorrect ownership command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode args: warn: false register: files_with_incorrect_ownership failed_when: files_with_incorrect_ownership.rc > 1 changed_when: false check_mode: false tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_ownership - name: Create list of packages command: rpm -qf "{{ item }}" args: warn: false with_items: '{{ files_with_incorrect_ownership.stdout_lines | map(''regex_findall'', ''^[.]+[U|G]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'') | list | unique }}' register: list_of_packages changed_when: false check_mode: false when: (files_with_incorrect_ownership.stdout_lines | length > 0) tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_ownership - name: Correct file ownership with RPM command: rpm --quiet --setugids '{{ item }}' args: warn: false with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' when: (files_with_incorrect_ownership.stdout_lines | length > 0) tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_ownership Verify and Correct File Permissions with RPM The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command: $ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: $ rpm -qf FILENAME Next, run the following command to reset its permissions to the correct values: $ sudo rpm --setperms PACKAGENAME Profiles may require that specific files have stricter file permissions than defined by the vendor. Such files will be reported as a finding and need to be evaluated according to your policy and deployment environment. 1.8.1.4 1.8.1.5 1.8.1.6 6.1.1 6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 1 11 12 13 14 15 16 18 3 5 6 9 5.10.4.1 APO01.06 APO11.04 BAI03.05 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.04 DSS05.07 DSS06.02 MEA02.01 3.3.8 3.4.1 CCI-001493 CCI-001494 CCI-001495 CCI-001496 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.3.3.9 4.3.3.5.8 4.3.3.7.3 4.3.4.3.2 4.3.4.3.3 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.1 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 5.2 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.2 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.2 A.12.7.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 CIP-003-3 R4.2 CIP-003-3 R6 CIP-007-3 R4 CIP-007-3 R4.1 CIP-007-3 R4.2 CM-6(d) CM-6(c) SI-7 SI-7(1) SI-7(6) AU-9(3) CM-6(a) PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-1 Req-11.5 SRG-OS-000256-GPOS-00097 SRG-OS-000257-GPOS-00098 SRG-OS-000258-GPOS-00099 SRG-OS-000278-GPOS-00108 Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. # Declare array to hold set of RPM packages we need to correct permissions for declare -A SETPERMS_RPM_DICT # Create a list of files on the system having permissions different from what # is expected by the RPM database readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }') for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" do # NOTE: some files maybe controlled by more then one package readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}") for RPM_PACKAGE in "${RPM_PACKAGES[@]}" do # Use an associative array to store packages as it's keys, not having to care about duplicates. SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 done done # For each of the RPM packages left in the list -- reset its permissions to the # correct values for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" do rpm --restore "${RPM_PACKAGE}" done - name: Read list of files with incorrect permissions command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup args: warn: false register: files_with_incorrect_permissions failed_when: files_with_incorrect_permissions.rc > 1 changed_when: false check_mode: false tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_permissions - name: Create list of packages command: rpm -qf "{{ item }}" args: warn: false with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'', ''^[.]+[M]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'') | list | unique }}' register: list_of_packages changed_when: false check_mode: false when: (files_with_incorrect_permissions.stdout_lines | length > 0) tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_permissions - name: Correct file permissions with RPM command: rpm --setperms '{{ item }}' args: warn: false with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list | unique }}' when: (files_with_incorrect_permissions.stdout_lines | length > 0) tags: - CJIS-5.10.4.1 - NIST-800-171-3.3.8 - NIST-800-171-3.4.1 - NIST-800-53-AU-9(3) - NIST-800-53-CM-6(a) - NIST-800-53-CM-6(c) - NIST-800-53-CM-6(d) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - NIST-800-53-SI-7(6) - PCI-DSS-Req-11.5 - high_complexity - high_severity - medium_disruption - no_reboot_needed - restrict_strategy - rpm_verify_permissions Verify Integrity with AIDE AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and then again after any software update. AIDE is highly configurable, with further configuration information located in /usr/share/doc/aide-VERSION. Install AIDE The aide package can be installed with the following command: $ sudo yum install aide BP28(R51) 1.4.1 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 CCI-002699 CCI-001744 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 1034 1288 1341 1417 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-6(a) DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 SRG-OS-000363-GPOS-00150 SV-230263r627750_rule The AIDE package must be installed if it is to be available for integrity checking. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if ! rpm -q --quiet "aide" ; then yum install -y "aide" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Ensure aide is installed package: name: aide state: present when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.10.1.3 - DISA-STIG-RHEL-08-010360 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_aide_installed include install_aide class install_aide { package { 'aide': ensure => 'installed', } } package --add=aide [[packages]] name = "aide" version = "*" Build and Test AIDE Database Run the following command to generate a new database: $ sudo /usr/sbin/aide --init By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: $ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz To initiate a manual check, run the following command: $ sudo /usr/sbin/aide --check If this check produces any unexpected output, investigate. BP28(R51) 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 CM-6(a) DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if ! rpm -q --quiet "aide" ; then yum install -y "aide" fi /usr/sbin/aide --init /bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Ensure AIDE is installed package: name: '{{ item }}' state: present with_items: - aide when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Build and Test AIDE Database command: /usr/sbin/aide --init changed_when: true when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Check whether the stock AIDE Database exists stat: path: /var/lib/aide/aide.db.new.gz register: aide_database_stat when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Stage AIDE Database copy: src: /var/lib/aide/aide.db.new.gz dest: /var/lib/aide/aide.db.gz backup: true remote_src: true when: - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) tags: - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - PCI-DSS-Req-11.5 - aide_build_database - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy Configure AIDE to Verify the Audit Tools The operating system file integrity tool must be configured to protect the integrity of the audit tools. CCI-001496 AU-9(3) AU-9(3).1 SRG-OS-000278-GPOS-00108 SV-230475r627750_rule Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if ! rpm -q --quiet "aide" ; then yum install -y "aide" fi if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf else echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf fi if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf else echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf fi if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf else echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf fi if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf else echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf fi if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf else echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf fi if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512#" /etc/aide.conf else echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide.conf fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Ensure aide is installed package: name: '{{ item }}' state: present with_items: - aide when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-030650 - NIST-800-53-AU-9(3) - NIST-800-53-AU-9(3).1 - aide_check_audit_tools - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Set audit_tools fact set_fact: audit_tools: - /usr/sbin/auditctl - /usr/sbin/auditd - /usr/sbin/augenrules - /usr/sbin/aureport - /usr/sbin/ausearch - /usr/sbin/autrace when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-030650 - NIST-800-53-AU-9(3) - NIST-800-53-AU-9(3).1 - aide_check_audit_tools - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Ensure existing AIDE configuration for audit tools are correct lineinfile: path: /etc/aide.conf regexp: ^{{ item }}\s line: '{{ item }} p+i+n+u+g+s+b+acl+xattrs+sha512' with_items: '{{ audit_tools }}' when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-030650 - NIST-800-53-AU-9(3) - NIST-800-53-AU-9(3).1 - aide_check_audit_tools - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure AIDE to properly protect audit tools lineinfile: path: /etc/aide.conf line: '{{ item }} p+i+n+u+g+s+b+acl+xattrs+sha512' with_items: '{{ audit_tools }}' when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-030650 - NIST-800-53-AU-9(3) - NIST-800-53-AU-9(3).1 - aide_check_audit_tools - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy Configure Periodic Execution of AIDE At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * 0 root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable. BP28(R51) 1.4.2 1 11 12 13 14 15 16 2 3 5 7 8 9 5.10.1.3 APO01.06 BAI01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS04.07 DSS05.02 DSS05.03 DSS05.05 DSS05.07 DSS06.02 DSS06.06 CCI-001744 CCI-002699 CCI-002702 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 6.2 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.4.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 A.8.2.3 SI-7 SI-7(1) CM-6(a) DE.CM-1 DE.CM-7 PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1 PR.IP-3 Req-11.5 SRG-OS-000363-GPOS-00150 SRG-OS-000446-GPOS-00200 SRG-OS-000447-GPOS-00201 By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if ! rpm -q --quiet "aide" ; then yum install -y "aide" fi if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab else sed -i '/^.*\/usr\/sbin\/aide --check.*$/d' /etc/crontab echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Ensure AIDE is installed package: name: '{{ item }}' state: present with_items: - aide when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - PCI-DSS-Req-11.5 - aide_periodic_cron_checking - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure Periodic Execution of AIDE cron: name: run AIDE check minute: 5 hour: 4 weekday: 0 user: root job: /usr/sbin/aide --check when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.10.1.3 - NIST-800-53-CM-6(a) - NIST-800-53-SI-7 - NIST-800-53-SI-7(1) - PCI-DSS-Req-11.5 - aide_periodic_cron_checking - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy Configure Notification of Post-AIDE Scan Details AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line: | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost Otherwise, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost AIDE can be executed periodically through other means; this is merely one example. BP28(R51) 1 11 12 13 15 16 2 3 5 7 8 9 BAI01.06 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS03.05 DSS05.02 DSS05.05 DSS05.07 CCI-001744 CCI-002702 4.3.4.3.2 4.3.4.3.3 SR 6.2 SR 7.6 A.12.1.2 A.12.4.1 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.14.2.7 A.15.2.1 CM-6(a) CM-3(5) DE.CM-1 DE.CM-7 PR.IP-1 PR.IP-3 SRG-OS-000363-GPOS-00150 SRG-OS-000447-GPOS-00201 SV-230263r627750_rule Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if ! rpm -q --quiet "aide" ; then yum install -y "aide" fi var_aide_scan_notification_email="" CRONTAB=/etc/crontab CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' # NOTE: on some platforms, /etc/crontab may not exist if [ -f /etc/crontab ]; then CRONTAB_EXIST=/etc/crontab fi if [ -f /var/spool/cron/root ]; then VARSPOOL=/var/spool/cron/root fi if ! grep -qR '^.*/usr/sbin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then echo "0 5 * * * root /usr/sbin/aide --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: XCCDF Value var_aide_scan_notification_email # promote to variable set_fact: var_aide_scan_notification_email: !!str tags: - always - name: Ensure AIDE is installed package: name: '{{ item }}' state: present with_items: - aide when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-010360 - NIST-800-53-CM-3(5) - NIST-800-53-CM-6(a) - aide_scan_notification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - name: Configure Notification of Post-AIDE Scan Details cron: name: run AIDE check minute: 5 hour: 4 weekday: 0 user: root job: /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" {{ var_aide_scan_notification_email }} when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-010360 - NIST-800-53-CM-3(5) - NIST-800-53-CM-6(a) - aide_scan_notification - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy Configure AIDE to Use FIPS 140-2 for Validating Hashes By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf: NORMAL = FIPSR+sha512 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 3.13.11 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7 SI-7(1) CM-6(a) PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. Configure AIDE to Verify Access Control Lists (ACLs) By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in /etc/aide.conf BP28(R51) 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7 SI-7(1) CM-6(a) PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 SV-230552r627750_rule ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if ! rpm -q --quiet "aide" ; then yum install -y "aide" fi aide_conf="/etc/aide.conf" groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *acl* ]] then if [[ -z $config ]] then config="acl" else config=$config"+acl" fi fi sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done else >&2 echo 'Remediation is not applicable, nothing was done' fi Configure AIDE to Verify Extended Attributes By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf: FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in /etc/aide.conf BP28(R51) 2 3 APO01.06 BAI03.05 BAI06.01 DSS06.02 CCI-000366 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 A.11.2.4 A.12.2.1 A.12.5.1 A.14.1.2 A.14.1.3 A.14.2.4 SI-7 SI-7(1) CM-6(a) PR.DS-6 PR.DS-8 SRG-OS-000480-GPOS-00227 SV-230551r627750_rule Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if ! rpm -q --quiet "aide" ; then yum install -y "aide" fi aide_conf="/etc/aide.conf" groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *xattrs* ]] then if [[ -z $config ]] then config="xattrs" else config=$config"+xattrs" fi fi sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done else >&2 echo 'Remediation is not applicable, nothing was done' fi Federal Information Processing Standard (FIPS) The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working groups to validate the quality of cryptographic modules. The FIPS standard provides four security levels to ensure adequate coverage of different industries, implementation of cryptographic modules, and organizational sizes and requirements. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux 8. See http://csrc.nist.gov/publications/PubsFIPS.html for more information. Enable Dracut FIPS Module To enable FIPS mode, run the following command: fips-mode-setup --enable To enable FIPS, the system requires that the fips module is added in dracut configuration. Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " The system needs to be rebooted for these changes to take effect. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. CCI-000068 CCI-000803 CCI-002450 1446 CIP-003-3 R4.2 CIP-007-3 R5.1 SC-12(2) SC-12(3) IA-7 SC-13 CM-6(a) SC-12 SRG-OS-000478-GPOS-00223 SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Enable FIPS Mode To enable FIPS mode, run the following command: fips-mode-setup --enable The fips-mode-setup command will configure the system in FIPS mode by automatically configuring the following: Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1Creating /etc/system-fipsSetting the system crypto policy in /etc/crypto-policies/config to FIPSLoading the Dracut fips module Furthermore, the system running in FIPS mode should be FIPS certified by NIST. The system needs to be rebooted for these changes to take effect. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. CCI-000068 CCI-000803 CCI-002450 1446 CIP-003-3 R4.2 CIP-007-3 R5.1 SC-12(2) SC-12(3) IA-7 SC-13 CM-6(a) SC-12 FCS_COP.1(1) FCS_COP.1(2) FCS_COP.1(3) FCS_COP.1(4) FCS_CKM.1 FCS_CKM.2 FCS_TLSC_EXT.1 SRG-OS-000478-GPOS-00223 SRG-OS-000396-GPOS-00176 SV-230223r627750_rule SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Ensure '/etc/system-fips' exists On a system where FIPS mode is enabled, /etc/system-fips must exist. To enable FIPS mode, run the following command: fips-mode-setup --enable The system needs to be rebooted for these changes to take effect. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. CCI-000068 CCI-000803 CCI-002450 CIP-003-3 R4.2 CIP-007-3 R5.1 SC-12(2) SC-12(3) IA-7 SC-13 CM-6(a) SC-12 SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Set kernel parameter 'crypto.fips_enabled' to 1 System running in FIPS mode is indicated by kernel parameter 'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. To enable FIPS mode, run the following command: fips-mode-setup --enable The system needs to be rebooted for these changes to take effect. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. CCI-000068 CCI-000803 CCI-002450 CIP-003-3 R4.2 CIP-007-3 R5.1 SC-12(2) SC-12(3) IA-7 SC-13 CM-6(a) SC-12 SRG-OS-000033-GPOS-00014 SRG-OS-000125-GPOS-00065 SRG-OS-000396-GPOS-00176 SRG-OS-000423-GPOS-00187 SRG-OS-000478-GPOS-00223 SV-230223r627750_rule SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. System Cryptographic Policies Linux has the capability to centrally configure cryptographic polices. The command update-crypto-policies is used to set the policy applicable for the various cryptographic back-ends, such as SSL/TLS libraries. The configured cryptographic policies will be the default policy used by these backends unless the application user configures them otherwise. When the system has been configured to use the centralized cryptographic policies, the administrator is assured that any application that utilizes the supported backends will follow a policy that adheres to the configured profile. Currently the supported backends are: GnuTLS libraryOpenSSL libraryNSS libraryOpenJDKLibkrb5BINDOpenSSH Applications and languages which rely on any of these backends will follow the system policies as well. Examples are apache httpd, nginx, php, and others. SSH client RekeyLimit - size Specify the size component of the rekey limit. This limit signifies amount of data. After this amount of data is transferred through the connection, the session key is renegotiated. The number is followed by K, M or G for kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also configured according to elapsed time. 512M 512M 1G SSH client RekeyLimit - time Specify the time component of the rekey limit. The session key is renegotiated after the defined amount of time passes. The number is followed by units such as H or M for hours or minutes. Note that the RekeyLimit can be also configured according to amount of transfered data. 1h 1h The system-provided crypto policies Specify the crypto policy for the system. DEFAULT DEFAULT DEFAULT:NO-SHA1 FIPS FIPS:OSPP LEGACY FUTURE NEXT Install crypto-policies package The crypto-policies package can be installed with the following command: $ sudo yum install crypto-policies FCS_COP.1(1) FCS_COP.1(2) FCS_COP.1(3) FCS_COP.1(4) FCS_CKM.1 FCS_CKM.2 FCS_TLSC_EXT.1 SRG-OS-000396-GPOS-00176 SRG-OS-000393-GPOS-00173 SRG-OS-000394-GPOS-00174 Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. if ! rpm -q --quiet "crypto-policies" ; then yum install -y "crypto-policies" fi - name: Ensure crypto-policies is installed package: name: crypto-policies state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_crypto-policies_installed include install_crypto-policies class install_crypto-policies { package { 'crypto-policies': ensure => 'installed', } } package --add=crypto-policies [[packages]] name = "crypto-policies" version = "*" Configure BIND to use System Crypto Policy Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf includes the appropriate configuration: In the options section of /etc/named.conf, make sure that the following line is not commented out or superseded by later includes: include "/etc/crypto-policies/back-ends/bind.config"; CIP-003-3 R4.2 CIP-007-3 R5.1 SC-13 SC-12(2) SC-12(3) SRG-OS-000423-GPOS-00187 SRG-OS-000426-GPOS-00190 Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented. function remediate_bind_crypto_policy() { CONFIG_FILE="/etc/named.conf" if test -f "$CONFIG_FILE"; then sed -i 's|options {|&\n\tinclude "/etc/crypto-policies/back-ends/bind.config";|' "$CONFIG_FILE" return 0 else echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2 return 1 fi } remediate_bind_crypto_policy Configure System Cryptography Policy To configure the system cryptography policy to use ciphers only from the policy, run the following command: $ sudo update-crypto-policies --set The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. The system needs to be rebooted for these changes to take effect. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. 1.10 1.11 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.312(e)(1) 164.312(e)(2)(ii) 1446 CIP-003-3 R4.2 CIP-007-3 R5.1 CIP-007-3 R7.1 AC-17(a) AC-17(2) CM-6(a) MA-4(6) SC-13 SC-12(2) SC-12(3) FCS_COP.1(1) FCS_COP.1(2) FCS_COP.1(3) FCS_COP.1(4) FCS_CKM.1 FCS_CKM.2 FCS_TLSC_EXT.1 SRG-OS-000396-GPOS-00176 SRG-OS-000393-GPOS-00173 SRG-OS-000394-GPOS-00174 Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. # include remediation functions library var_system_crypto_policy="" stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) rc=$? if test "$rc" = 127; then echo "$stderr_of_call" >&2 echo "Make sure that the script is installed on the remediated system." >&2 echo "See output of the 'dnf provides update-crypto-policies' command" >&2 echo "to see what package to (re)install" >&2 false # end with an error code elif test "$rc" != 0; then echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 false # end with an error code fi - name: XCCDF Value var_system_crypto_policy # promote to variable set_fact: var_system_crypto_policy: !!str tags: - always - name: Configure System Cryptography Policy lineinfile: path: /etc/crypto-policies/config regexp: ^(?!#)(\S+)$ line: '{{ var_system_crypto_policy }}' create: true tags: - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - configure_crypto_policy - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - name: Verify that Crypto Policy is Set (runtime) command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} tags: - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - configure_crypto_policy - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy Configure GnuTLS library to use DoD-approved TLS Encryption Crypto Policies provide a centralized control over crypto algorithms usage of many packages. GnuTLS is supported by system crypto policy, but the GnuTLS configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that /etc/crypto-policies/back-ends/gnutls.config contains the following line and is not commented out: +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 CCI-001453 AC-17(2) SRG-OS-000250-GPOS-00093 SRG-OS-000423-GPOS-00187 SV-230256r627750_rule Overriding the system crypto policy makes the behavior of the GnuTLS library violate expectations, and makes system configuration more fragmented. CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' grep -q ${correct_value} ${CONF_FILE} if [[ $? -ne 0 ]]; then # We need to get the existing value, using PCRE to maintain same regex existing_value=$(grep -Po '(\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+)' ${CONF_FILE}) if [[ ! -z ${existing_value} ]]; then # replace existing_value with correct_value sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} else # ***NOTE*** # # This probably means this file is not here or it's been modified # unintentionally. # ********** # # echo correct_value to end echo ${correct_value} >> ${CONF_FILE} fi fi - name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: set_fact' set_fact: path: /etc/crypto-policies/back-ends/gnutls.config correct_value: +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 lineinfile_reg: \+VERS-ALL:-VERS-DTLS0\.9:-VERS-SSL3\.0:-VERS-TLS1\.0:-VERS-TLS1\.1:-VERS-DTLS1\.0 tags: - DISA-STIG-RHEL-08-010295 - NIST-800-53-AC-17(2) - configure_gnutls_tls_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: stat' stat: path: '{{ path }}' follow: true register: gnutls_file tags: - DISA-STIG-RHEL-08-010295 - NIST-800-53-AC-17(2) - configure_gnutls_tls_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: Add' lineinfile: path: '{{ path }}' regexp: '{{ lineinfile_reg }}' line: '{{ correct_value }}' create: true when: not gnutls_file.stat.exists or gnutls_file.stat.size <= correct_value|length tags: - DISA-STIG-RHEL-08-010295 - NIST-800-53-AC-17(2) - configure_gnutls_tls_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Configure GnuTLS library to use DoD-approved TLS Encryption block: - name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: Existing value check' lineinfile: path: '{{ path }}' create: false regexp: '{{ lineinfile_reg }}' state: absent check_mode: true changed_when: false register: gnutls - name: 'Configure GnuTLS library to use DoD-approved TLS Encryption: Update' replace: path: '{{ path }}' regexp: (\+VERS-ALL(?::-VERS-[A-Z]+\d\.\d)+) replace: '{{ correct_value }}' when: gnutls.found is defined and gnutls.found != 1 when: gnutls_file.stat.exists and gnutls_file.stat.size > correct_value|length tags: - DISA-STIG-RHEL-08-010295 - NIST-800-53-AC-17(2) - configure_gnutls_tls_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy Configure Kerberos to use System Crypto Policy Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, kerberos is configured to use the system-wide crypto policy settings. 0418 1055 1402 CIP-003-3 R4.2 CIP-007-3 R5.1 SC-13 SC-12(2) SC-12(3) SRG-OS-000120-GPOS-00061 Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented. rm -f /etc/krb5.conf.d/crypto-policies ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies - name: Configure Kerberos to use System Crypto Policy file: src: /etc/crypto-policies/back-ends/krb5.config path: /etc/krb5.conf.d/crypto-policies state: link tags: - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - configure_kerberos_crypto_policy - configure_strategy - low_complexity - low_disruption - medium_severity - reboot_required Configure Libreswan to use System Crypto Policy Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf includes the appropriate configuration file. In /etc/ipsec.conf, make sure that the following line is not commented out or superseded by later includes: include /etc/crypto-policies/back-ends/libreswan.config CIP-003-3 R4.2 CIP-007-3 R5.1 CM-6(a) MA-4(6) SC-13 SC-12(2) SC-12(3) FCS_IPSEC_EXT.1.4 FCS_IPSEC_EXT.1.6 SRG-OS-000033-GPOS-00014 Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented. function remediate_libreswan_crypto_policy() { CONFIG_FILE="/etc/ipsec.conf" if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then echo 'include /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE" fi return 0 } remediate_libreswan_crypto_policy - name: Configure Libreswan to use System Crypto Policy lineinfile: path: /etc/ipsec.conf line: include /etc/crypto-policies/back-ends/libreswan.config create: true tags: - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - configure_libreswan_crypto_policy - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy Configure OpenSSL library to use System Crypto Policy Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. CCI-001453 CIP-003-3 R4.2 CIP-007-3 R5.1 CIP-007-3 R7.1 AC-17(a) AC-17(2) CM-6(a) MA-4(6) SC-13 SC-12(2) SC-12(3) SRG-OS-000250-GPOS-00093 SV-230254r627750_rule Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented. OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$' function remediate_openssl_crypto_policy() { CONFIG_FILE="/etc/pki/tls/openssl.cnf" if test -f "$CONFIG_FILE"; then if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE" return 0 elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE" return 0 fi else echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2 return 1 fi } remediate_openssl_crypto_policy - name: Test for crypto_policy group command: grep '^\s*\[\s*crypto_policy\s*]' /etc/pki/tls/openssl.cnf register: test_crypto_policy_group ignore_errors: true changed_when: false check_mode: false tags: - DISA-STIG-RHEL-08-010293 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - configure_openssl_crypto_policy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Add .include for opensslcnf.config to crypto_policy section lineinfile: create: true insertafter: ^\s*\[\s*crypto_policy\s*]\s* line: .include /etc/crypto-policies/back-ends/opensslcnf.config path: /etc/pki/tls/openssl.cnf when: - test_crypto_policy_group.stdout is defined - test_crypto_policy_group.stdout | length > 0 tags: - DISA-STIG-RHEL-08-010293 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - configure_openssl_crypto_policy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Add crypto_policy group and set include opensslcnf.config lineinfile: create: true line: |- [crypto_policy] .include /etc/crypto-policies/back-ends/opensslcnf.config path: /etc/pki/tls/openssl.cnf when: - test_crypto_policy_group.stdout is defined - test_crypto_policy_group.stdout | length < 1 tags: - DISA-STIG-RHEL-08-010293 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-SC-13 - configure_openssl_crypto_policy - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Configure OpenSSL library to use TLS Encryption Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. OpenSSL is by default configured to modify its configuration based on currently configured Crypto Policy. Editing the Crypto Policy back-end is not recommended. Check the crypto-policies(7) man page and choose a policy that configures TLS protocol to version 1.2 or higher, for example DEFAULT, FUTURE or FIPS policy. Or create and apply a custom policy that restricts minimum TLS version to 1.2. This rule doesn't come with a remediation, automatically changing the crypto-policies may be too disruptive. Ensure the variable xccdf_org.ssgproject.content_value_var_system_crypto_policy is set to a Crypto Policy that satisfies OpenSSL minimum TLS protocol version 1.2. Custom policies may be applied too. CCI-001453 AC-17(2) SRG-OS-000250-GPOS-00093 SV-230255r627750_rule Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Configure SSH to use System Crypto Policy Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd. 5.2.20 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.312(e)(1) 164.312(e)(2)(ii) CIP-003-3 R4.2 CIP-007-3 R5.1 CIP-007-3 R7.1 AC-17(a) AC-17(2) CM-6(a) MA-4(6) SC-13 SRG-OS-000250-GPOS-00093 Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented. SSH_CONF="/etc/sysconfig/sshd" sed -i "/^\s*CRYPTO_POLICY.*$/d" $SSH_CONF - name: Configure SSH to use System Crypto Policy lineinfile: dest: /etc/sysconfig/sshd state: absent regexp: ^\s*CRYPTO_POLICY.*$ tags: - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-13 - configure_ssh_crypto_policy - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required Harden OpenSSL Crypto Policy Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. OpenSSL is by default configured to modify its configuration based on currently configured Crypto Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL and leave rest of the Crypto Policy intact. This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value. CIP-003-3 R4.2 CIP-007-3 R5.1 SC-8(1) SC-13 FCS_TLSC_EXT.1.1 SRG-OS-000396-GPOS-00176 SRG-OS-000424-GPOS-00188 SRG-OS-000478-GPOS-00223 The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" file="/etc/crypto-policies/local.d/opensslcnf-ospp.config" backend_file="/etc/crypto-policies/back-ends/opensslcnf.config" sed -i "/Ciphersuites\s*=\s*/d" "$backend_file" printf "\n%s\n" "$cp" >> "$file" update-crypto-policies - name: Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config lineinfile: path: /etc/crypto-policies/local.d/opensslcnf-ospp.config line: Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 create: true insertafter: EOF tags: - NIST-800-53-SC-13 - NIST-800-53-SC-8(1) - harden_openssl_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: Update system crypto policy for changes to take effect command: cmd: update-crypto-policies tags: - NIST-800-53-SC-13 - NIST-800-53-SC-8(1) - harden_openssl_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy Harden SSH client Crypto Policy Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client. To override the system wide crypto policy for Openssh client, place a file in the /etc/ssh/ssh_config.d/ so that it is loaded before the 05-redhat.conf. In this case it is file named 02-ospp.conf containing parameters which need to be changed with respect to the crypto policy. This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy. During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter. CIP-003-3 R4.2 CIP-007-3 R5.1 CIP-007-3 R7.1 AC-17(a) AC-17(2) CM-6(a) MA-4(6) SC-13 FCS_SSHC_EXT.1 SRG-OS-000033-GPOS-00014 SRG-OS-000250-GPOS-00093 SRG-OS-000393-GPOS-00173 SRG-OS-000394-GPOS-00174 The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. #the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy file="/etc/ssh/ssh_config.d/02-ospp.conf" echo -e "Match final all\n\ RekeyLimit 512M 1h\n\ GSSAPIAuthentication no\n\ Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc\n\ PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256\n\ MACs hmac-sha2-512,hmac-sha2-256\n\ KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1\n" > "$file" Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out: Ciphers The system needs to be rebooted for these changes to take effect. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. CCI-001453 AC-17(2) SRG-OS-000250-GPOS-00093 Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. sshd_approved_ciphers="" if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config" else touch "/etc/crypto-policies/back-ends/openssh.config" fi cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak" # Insert at the end of the file printf '%s\n' "Ciphers ${sshd_approved_ciphers}" >> "/etc/crypto-policies/back-ends/openssh.config" # Clean up after ourselves. rm "/etc/crypto-policies/back-ends/openssh.config.bak" - name: XCCDF Value sshd_approved_ciphers # promote to variable set_fact: sshd_approved_ciphers: !!str tags: - always - name: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config' block: - name: Check for duplicate values lineinfile: path: /etc/crypto-policies/back-ends/openssh.config create: false regexp: ^.*Ciphers\s+ state: absent check_mode: true changed_when: false register: dupes - name: Deduplicate values from /etc/crypto-policies/back-ends/openssh.config lineinfile: path: /etc/crypto-policies/back-ends/openssh.config create: false regexp: ^.*Ciphers\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/crypto-policies/back-ends/openssh.config lineinfile: path: /etc/crypto-policies/back-ends/openssh.config create: true regexp: ^.*Ciphers\s+ line: Ciphers {{ sshd_approved_ciphers }} state: present tags: - NIST-800-53-AC-17(2) - harden_sshd_ciphers_openssh_conf_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/opensshserver.config contains the following text and is not commented out: -oCiphers= The system needs to be rebooted for these changes to take effect. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. CCI-001453 AC-17(2) SRG-OS-000250-GPOS-00093 SV-230252r743940_rule Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. sshd_approved_ciphers="" CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config correct_value="-oCiphers=${sshd_approved_ciphers}" # Test if file exists test -f ${CONF_FILE} || touch ${CONF_FILE} # Ensure CRYPTO_POLICY is not commented out sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} grep -q "'${correct_value}'" ${CONF_FILE} if [[ $? -ne 0 ]]; then # We need to get the existing value, using PCRE to maintain same regex existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE}) if [[ ! -z ${existing_value} ]]; then # replace existing_value with correct_value sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} else # ***NOTE*** # # This probably means this file is not here or it's been modified # unintentionally. # ********** # # echo correct_value to end echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} fi fi - name: XCCDF Value sshd_approved_ciphers # promote to variable set_fact: sshd_approved_ciphers: !!str tags: - always - name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config: Set facts' set_fact: path: /etc/crypto-policies/back-ends/opensshserver.config correct_value: -oCiphers={{ sshd_approved_ciphers }} tags: - DISA-STIG-RHEL-08-010291 - NIST-800-53-AC-17(2) - harden_sshd_ciphers_opensshserver_conf_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config: Stat' stat: path: '{{ path }}' follow: true register: opensshserver_file tags: - DISA-STIG-RHEL-08-010291 - NIST-800-53-AC-17(2) - harden_sshd_ciphers_opensshserver_conf_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config: Create' lineinfile: path: '{{ path }}' line: CRYPTO_POLICY='{{ correct_value }}' create: true when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length tags: - DISA-STIG-RHEL-08-010291 - NIST-800-53-AC-17(2) - harden_sshd_ciphers_opensshserver_conf_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config' block: - name: Existing value check lineinfile: path: '{{ path }}' create: false regexp: '{{ correct_value }}' state: absent check_mode: true changed_when: false register: opensshserver - name: Update/Correct value replace: path: '{{ path }}' regexp: (-oCiphers=\S+) replace: '{{ correct_value }}' when: opensshserver.found is defined and opensshserver.found != 1 when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length tags: - DISA-STIG-RHEL-08-010291 - NIST-800-53-AC-17(2) - harden_sshd_ciphers_opensshserver_conf_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy Harden SSHD Crypto Policy Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server. The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy intact. This can be done by dropping a file named opensshserver-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. Changes are propagated into /etc/crypto-policies/back-ends/opensshserver.config. This rule checks if this file contains predefined CRYPTO_POLICY environment variable configured with predefined value. CIP-003-3 R4.2 CIP-007-3 R5.1 CIP-007-3 R7.1 AC-17(a) AC-17(2) CM-6(a) MA-4(6) SC-13 SC-12(2) SC-12(3) FCS_SSHS_EXT.1 SRG-OS-000250-GPOS-00093 SRG-OS-000033-GPOS-00014 SRG-OS-000120-GPOS-00061 The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. cp="CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'" file=/etc/crypto-policies/local.d/opensshserver-ospp.config #blank line at the begining to ease later readibility echo '' > "$file" echo "$cp" >> "$file" update-crypto-policies Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out: MACs hmac-sha2-512,hmac-sha2-256 The system needs to be rebooted for these changes to take effect. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. CCI-001453 AC-17(2) SRG-OS-000250-GPOS-00093 Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented. sshd_approved_macs="" if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config" else touch "/etc/crypto-policies/back-ends/openssh.config" fi cp "/etc/crypto-policies/back-ends/openssh.config" "/etc/crypto-policies/back-ends/openssh.config.bak" # Insert at the end of the file printf '%s\n' "MACs ${sshd_approved_macs}" >> "/etc/crypto-policies/back-ends/openssh.config" # Clean up after ourselves. rm "/etc/crypto-policies/back-ends/openssh.config.bak" - name: XCCDF Value sshd_approved_macs # promote to variable set_fact: sshd_approved_macs: !!str tags: - always - name: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config' block: - name: Check for duplicate values lineinfile: path: /etc/crypto-policies/back-ends/openssh.config create: false regexp: ^.*MACs\s+ state: absent check_mode: true changed_when: false register: dupes - name: Deduplicate values from /etc/crypto-policies/back-ends/openssh.config lineinfile: path: /etc/crypto-policies/back-ends/openssh.config create: false regexp: ^.*MACs\s+ state: absent when: dupes.found is defined and dupes.found > 1 - name: Insert correct line to /etc/crypto-policies/back-ends/openssh.config lineinfile: path: /etc/crypto-policies/back-ends/openssh.config create: true regexp: ^.*MACs\s+ line: MACs {{ sshd_approved_macs }} state: present tags: - NIST-800-53-AC-17(2) - harden_sshd_macs_openssh_conf_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings are configured correctly, ensure that /etc/crypto-policies/back-ends/opensshserver.config contains the following text and is not commented out: -oMACS=hmac-sha2-512,hmac-sha2-256 The system needs to be rebooted for these changes to take effect. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. CCI-001453 AC-17(2) SRG-OS-000250-GPOS-00093 SV-230251r743937_rule Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented. sshd_approved_macs="" CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config correct_value="-oMACs=${sshd_approved_macs}" # Test if file exists test -f ${CONF_FILE} || touch ${CONF_FILE} # Ensure CRYPTO_POLICY is not commented out sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} grep -q "'${correct_value}'" ${CONF_FILE} if [[ $? -ne 0 ]]; then # We need to get the existing value, using PCRE to maintain same regex existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE}) if [[ ! -z ${existing_value} ]]; then # replace existing_value with correct_value sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} else # ***NOTE*** # # This probably means this file is not here or it's been modified # unintentionally. # ********** # # echo correct_value to end echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} fi fi - name: XCCDF Value sshd_approved_macs # promote to variable set_fact: sshd_approved_macs: !!str tags: - always - name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config: Set facts' set_fact: path: /etc/crypto-policies/back-ends/opensshserver.config correct_value: -oMACs={{ sshd_approved_macs }} tags: - DISA-STIG-RHEL-08-010290 - NIST-800-53-AC-17(2) - harden_sshd_macs_opensshserver_conf_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config: Stat' stat: path: '{{ path }}' follow: true register: opensshserver_file tags: - DISA-STIG-RHEL-08-010290 - NIST-800-53-AC-17(2) - harden_sshd_macs_opensshserver_conf_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config: Create' lineinfile: path: '{{ path }}' line: CRYPTO_POLICY='{{ correct_value }}' create: true when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length tags: - DISA-STIG-RHEL-08-010290 - NIST-800-53-AC-17(2) - harden_sshd_macs_opensshserver_conf_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy - name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config' block: - name: Existing value check lineinfile: path: '{{ path }}' create: false regexp: '{{ correct_value }}' state: absent check_mode: true changed_when: false register: opensshserver - name: Update/Correct value replace: path: '{{ path }}' regexp: (-oMACs=\S+) replace: '{{ correct_value }}' when: opensshserver.found is defined and opensshserver.found != 1 when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length tags: - DISA-STIG-RHEL-08-010290 - NIST-800-53-AC-17(2) - harden_sshd_macs_opensshserver_conf_crypto_policy - low_complexity - low_disruption - medium_severity - reboot_required - restrict_strategy OpenSSL uses strong entropy source By default, OpenSSL doesn't always use a SP800-90A compliant random number generator. A way to configure OpenSSL to always use a strong source is to setup a wrapper that defines a shell function that shadows the actual openssl binary, and that ensures that the -rand /dev/random option is added to every openssl invocation. To do so, place the following shell snippet exactly as-is to /etc/profile.d/openssl-rand.sh: # provide a default -rand /dev/random option to openssl commands that # support it # written inefficiently for maximum shell compatibility openssl() ( openssl_bin=/usr/bin/openssl case "$*" in # if user specified -rand, honor it *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; esac cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` for i in `$openssl_bin list -commands`; do if $openssl_bin list -options "$i" | grep -q '^rand '; then cmds=" $i $cmds" fi done case "$cmds" in *\ "$1"\ *) cmd="$1"; shift exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; esac exec $openssl_bin "$@" ) This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available. 1277 1552 FCS_RBG_EXT.1.2 SRG-OS-000480-GPOS-00227 This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior. cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' # provide a default -rand /dev/random option to openssl commands that # support it # written inefficiently for maximum shell compatibility openssl() ( openssl_bin=/usr/bin/openssl case "$*" in # if user specified -rand, honor it *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; esac cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` for i in `$openssl_bin list -commands`; do if $openssl_bin list -options "$i" | grep -q '^rand '; then cmds=" $i $cmds" fi done case "$cmds" in *\ "$1"\ *) cmd="$1"; shift exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; esac exec $openssl_bin "$@" ) EOM - name: Put a file with shell wrapper to configure OpenSSL to always use strong entropy copy: dest: /etc/profile.d/openssl-rand.sh content: | # provide a default -rand /dev/random option to openssl commands that # support it # written inefficiently for maximum shell compatibility openssl() ( openssl_bin=/usr/bin/openssl case "$*" in # if user specified -rand, honor it *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; esac cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` for i in `$openssl_bin list -commands`; do if $openssl_bin list -options "$i" | grep -q '^rand '; then cmds=" $i $cmds" fi done case "$cmds" in *\ "$1"\ *) cmd="$1"; shift exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; esac exec $openssl_bin "$@" ) tags: - low_complexity - low_disruption - medium_severity - no_reboot_needed - openssl_use_strong_entropy - restrict_strategy Operating System Vendor Support and Certification The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A certified product that follows the necessary standards and government certification requirements guarantees that known software vulnerabilities will be remediated, and proper guidance for protecting and securing the operating system will be given. The Installed Operating System Is FIPS 140-2 Certified To enable processing of sensitive information the operating system must provide certified cryptographic modules compliant with FIPS 140-2 standard. There is no remediation besides switching to a different operating system. System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. CCI-000803 CCI-002450 CIP-003-3 R4.2 CIP-007-3 R5.1 SC-12(2) SC-12(3) IA-7 SC-13 CM-6(a) SC-12 SRG-OS-000120-VMM-000600 SRG-OS-000478-VMM-001980 SRG-OS-000396-VMM-001590 The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2) is a computer security standard. The standard specifies security requirements for cryptographic modules used to protect sensitive unclassified information. Refer to the full FIPS 140-2 standard at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf for further details on the requirements. FIPS 140-2 validation is required by U.S. law when information systems use cryptography to protect sensitive government information. In order to achieve FIPS 140-2 certification, cryptographic modules are subject to extensive testing by independent laboratories, accredited by National Institute of Standards and Technology (NIST). The Installed Operating System Is Vendor Supported The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches. There is no remediation besides switching to a different operating system. 18 20 4 APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02 CCI-000366 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3 CM-6(a) MA-6 SA-13(a) ID.RA-1 PR.IP-12 SRG-OS-000480-GPOS-00227 SV-230221r743913_rule An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. Endpoint Protection Software Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base platform. Add-on software may not be appropriate for some specialized systems. Configure Backups of User Data The operating system must conduct backups of user data contained in the operating system. The operating system provides utilities for automating backups of user data. Commercial and open-source products are also available. Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives. Install Virus Scanning Software Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail. 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-000366 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 CM-6(a) DE.CM-4 DE.DP-3 PR.DS-1 SRG-OS-000480-GPOS-00227 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. Install Intrusion Detection Software The base Red Hat Enterprise Linux 8 platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised. In DoD environments, supplemental intrusion detection and antivirus tools, such as the McAfee Host-based Security System, are available to integrate with existing infrastructure. Per DISA guidance, when these supplemental tools interfere with proper functioning of SELinux, SELinux takes precedence. Should further clarification be required, DISA contact information is published publicly at https://public.cyber.mil/stigs/ 1 12 13 14 15 16 18 7 8 9 APO01.06 APO13.01 DSS01.03 DSS01.05 DSS03.05 DSS05.02 DSS05.04 DSS05.07 DSS06.02 CCI-001263 4.3.3.4 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 CM-6(a) DE.CM-1 PR.AC-5 PR.DS-5 PR.PT-4 Req-11.4 Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network. McAfee Endpoint Security Software In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems. The age of McAfee defintion file before requiring updating Specify the amount of time (in seconds) before McAfee definition files need to be updated. 2592000 86400 604800 2592000 Enable nails Service The nails service is used to run McAfee VirusScan Enterprise for Linux and McAfee Host-based Security System (HBSS) services. The nails service can be enabled with the following command: $ sudo systemctl enable nails.service 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-000366 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 CM-6(a) SC-28 SI-3(a) DE.CM-4 DE.DP-3 PR.DS-1 SRG-OS-000480-GPOS-00227 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" unmask 'nails.service' "$SYSTEMCTL_EXEC" start 'nails.service' "$SYSTEMCTL_EXEC" enable 'nails.service' else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Enable service nails block: - name: Gather the package facts package_facts: manager: auto - name: Enable service nails service: name: nails enabled: 'yes' state: started masked: 'no' when: - '"nails" in ansible_facts.packages' when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-CM-6(a) - NIST-800-53-SC-28 - NIST-800-53-SI-3(a) - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - service_nails_enabled include enable_nails class enable_nails { service {'nails': enable => true, ensure => 'running', } } Install McAfee Virus Scanning Software Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. Due to McAfee HIPS being 3rd party software, automated remediation is not available for this configuration check. 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-000366 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 CM-6(a) SC-28 SI-3(a) DE.CM-4 DE.DP-3 PR.DS-1 SRG-OS-000480-GPOS-00227 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. Install the McAfee Runtime Libraries and Linux Agent Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma). The McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) are dependencies for VirusScan Enterprise for Linux (VSEL) and Host-based Security System (HBSS) to run. Virus Scanning Software Definitions Are Updated Ensure virus definition files are no older than 7 days or their last release. 12 13 14 4 7 8 APO01.06 APO13.02 BAI02.01 BAI06.01 DSS04.07 DSS05.01 DSS05.02 DSS05.03 DSS06.06 CCI-000366 CCI-001239 CCI-001668 4.3.4.3.8 4.4.3.2 SR 3.2 SR 3.3 SR 3.4 SR 4.1 A.12.2.1 A.14.2.8 A.8.2.3 CM-6(a) SC-28 SI-3(a) SI-3(b) SI-3(2) DE.CM-4 DE.DP-3 PR.DS-1 SRG-OS-000480-GPOS-00227 Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. McAfee Endpoint Security for Linux (ENSL) McAfee Endpoint Security for Linux (ENSL) is a suite of software applications used to monitor, detect, and defend computer networks and systems. Install McAfee Endpoint Security for Linux (ENSL) Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. The mcafeetp package can be installed with the following command: $ sudo yum install mcafeetp Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software, automated remediation is not available for this configuration check. CCI-001233 SI-2(2) SRG-OS-000191-GPOS-00080 SV-245540r754730_rule Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. Ensure McAfee Endpoint Security for Linux (ENSL) is running Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software, automated remediation is not available for this configuration check. CCI-001233 SI-2(2) SRG-OS-000191-GPOS-00080 SV-245540r754730_rule Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. McAfee Host-Based Intrusion Detection Software (HBSS) McAfee Host-based Security System (HBSS) is a suite of software applications used to monitor, detect, and defend computer networks and systems. Install the Host Intrusion Prevention System (HIPS) Module Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module. Installing and enabling this module conflicts with SELinux. Per DoD/DISA guidance, SELinux takes precedence over this module. Due to McAfee HIPS being 3rd party software, automated remediation is not available for this configuration check. 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 APO01.06 APO07.06 APO08.04 APO10.05 APO11.06 APO12.01 APO12.02 APO12.03 APO12.04 APO12.06 APO13.01 APO13.02 BAI08.02 BAI08.04 DSS01.03 DSS01.05 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.04 DSS03.05 DSS04.05 DSS05.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.01 DSS06.02 MEA03.03 MEA03.04 CCI-000366 CCI-001233 CCI-001263 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 4.3.3.4 4.3.4.5.2 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.3.2 4.4.3.3 4.4.3.4 SR 2.10 SR 2.11 SR 2.12 SR 2.4 SR 2.8 SR 2.9 SR 3.1 SR 3.3 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.3 A.12.5.1 A.12.6.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.7 A.14.2.8 A.15.2.1 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7 A.18.1.4 A.18.2.2 A.18.2.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 Clause 16.1.2 Clause 7.4 CM-6(a) DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.CM-1 DE.CM-5 DE.CM-6 DE.CM-7 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 ID.RA-1 PR.AC-5 PR.DS-5 PR.IP-8 PR.PT-4 RS.AN-1 RS.CO-3 Req-11.4 SRG-OS-000191-GPOS-00080 SRG-OS-000196 SRG-OS-000480-GPOS-00227 Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. [[packages]] name = "MFEhiplsm" version = "*" Install the Asset Configuration Compliance Module (ACCM) Install the Asset Configuration Compliance Module (ACCM). Due to HBSS ACCM being 3rd party software, automated remediation is not available for this configuration check. 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 APO01.06 APO07.06 APO08.04 APO10.05 APO11.06 APO12.01 APO12.02 APO12.03 APO12.04 APO12.06 APO13.01 APO13.02 BAI08.02 BAI08.04 DSS01.03 DSS01.05 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.04 DSS03.05 DSS04.05 DSS05.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.01 DSS06.02 MEA03.03 MEA03.04 CCI-000366 CCI-001263 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 4.3.3.4 4.3.4.5.2 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.3.2 4.4.3.3 4.4.3.4 SR 2.10 SR 2.11 SR 2.12 SR 2.4 SR 2.8 SR 2.9 SR 3.1 SR 3.3 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.3 A.12.5.1 A.12.6.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.7 A.14.2.8 A.15.2.1 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7 A.18.1.4 A.18.2.2 A.18.2.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 Clause 16.1.2 Clause 7.4 CM-6(a) DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.CM-1 DE.CM-5 DE.CM-6 DE.CM-7 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 ID.RA-1 PR.AC-5 PR.DS-5 PR.IP-8 PR.PT-4 RS.AN-1 RS.CO-3 Req-11.4 STG-OS-000480-GPOS-00227 Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. Install the Policy Auditor (PA) Module Install the Policy Auditor (PA) Module. Due to McAfee being 3rd party software, automated remediation is not available for this configuration check. 1 11 12 13 14 15 16 18 19 2 3 4 5 6 7 8 9 APO01.06 APO07.06 APO08.04 APO10.05 APO11.06 APO12.01 APO12.02 APO12.03 APO12.04 APO12.06 APO13.01 APO13.02 BAI08.02 BAI08.04 DSS01.03 DSS01.05 DSS02.04 DSS02.05 DSS02.07 DSS03.01 DSS03.04 DSS03.05 DSS04.05 DSS05.01 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.01 DSS06.02 MEA03.03 MEA03.04 CCI-000366 CCI-001263 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 4.3.3.4 4.3.4.5.2 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.3.4.5.9 4.4.3.2 4.4.3.3 4.4.3.4 SR 2.10 SR 2.11 SR 2.12 SR 2.4 SR 2.8 SR 2.9 SR 3.1 SR 3.3 SR 3.5 SR 3.8 SR 3.9 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.1 SR 6.2 SR 7.1 SR 7.6 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.4.1 A.12.4.3 A.12.5.1 A.12.6.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.7 A.14.2.8 A.15.2.1 A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7 A.18.1.4 A.18.2.2 A.18.2.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 Clause 16.1.2 Clause 7.4 CM-6(a) DE.AE-1 DE.AE-2 DE.AE-3 DE.AE-4 DE.CM-1 DE.CM-5 DE.CM-6 DE.CM-7 DE.DP-2 DE.DP-3 DE.DP-4 DE.DP-5 ID.RA-1 PR.AC-5 PR.DS-5 PR.IP-8 PR.PT-4 RS.AN-1 RS.CO-3 Req-11.4 STG-OS-000480-GPOS-00227 Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. Disk Partitioning To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning scheme creates separate logical volumes for /, /boot, and swap. If starting with any of the default layouts, check the box to \"Review and modify partitioning.\" This allows for the easy creation of additional logical volumes inside the volume group already created, though it may require making /'s logical volume smaller to create space. In general, using logical volumes is preferable to using partitions because they can be more easily adjusted later.If creating a custom layout, create the partitions mentioned in the previous paragraph (which the installer will require anyway), as well as separate ones described in the following sections. If a system has already been installed, and the default partitioning scheme was used, it is possible but nontrivial to modify it to create separate logical volumes for the directories listed above. The Logical Volume Manager (LVM) makes this possible. See the LVM HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM. Encrypt Partitions Red Hat Enterprise Linux 8 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled. Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 8 Documentation web site: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening. 13 14 APO01.06 BAI02.01 BAI06.01 DSS04.07 DSS05.03 DSS05.04 DSS05.07 DSS06.02 DSS06.06 3.13.16 CCI-001199 CCI-002475 CCI-002476 164.308(a)(1)(ii)(D) 164.308(b)(1) 164.310(d) 164.312(a)(1) 164.312(a)(2)(iii) 164.312(a)(2)(iv) 164.312(b) 164.312(c) 164.314(b)(2)(i) 164.312(d) SR 3.4 SR 4.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 CIP-003-3 R4.2 CIP-007-3 R5.1 CM-6(a) SC-28 SC-28(1) SC-13 AU-9(3) PR.DS-1 PR.DS-5 SRG-OS-000405-GPOS-00184 SRG-OS-000185-GPOS-00079 SRG-OS-000404-GPOS-00183 SV-230224r627750_rule SRG-OS-000404-VMM-001650 SRG-OS-000405-VMM-001660 The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. Ensure /boot Located On Separate Partition It is recommended that the /boot directory resides on a separate partition. This makes it easier to apply restrictions e.g. through the noexec mount option. Eventually, the /boot partition can be configured not to be mounted automatically with the noauto mount option. BP28(R12) The /boot partition contains the kernel and bootloader files. Access to this partition should be restricted. part /boot Ensure /home Located On Separate Partition If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. BP28(R12) 1.1.13 12 15 8 APO13.01 DSS05.02 CCI-000366 CCI-001208 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 CM-6(a) SC-5(2) PR.PT-4 SRG-OS-000480-GPOS-00227 SV-230328r627750_rule Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. part /home Ensure /opt Located On Separate Partition It is recommended that the /opt directory resides on a separate partition. BP28(R12) The /opt partition contains additional software, usually installed outside the packaging system. Putting this directory on a separate partition makes it easier to apply restrictions e.g. through the nosuid mount option. part /opt Ensure /srv Located On Separate Partition If a file server (FTP, TFTP...) is hosted locally, create a separate partition for /srv at installation time (or migrate it later using LVM). If /srv will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. BP28(R12) Srv deserves files for local network file server such as FTP. Ensuring that /srv is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. part /srv Ensure /tmp Located On Separate Partition The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. BP28(R12) 1.1.2 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 CM-6(a) SC-5(2) PR.PT-4 SRG-OS-000480-GPOS-00227 SV-230295r627750_rule The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. part /tmp Ensure /usr Located On Separate Partition It is recommended that the /usr directory resides on a separate partition. BP28(R12) The /usr partition contains system software, utilities and files. Putting it on a separate partition allows limiting its size and applying restrictions through mount options. part /usr Ensure /var Located On Separate Partition The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. BP28(R12) 1.1.6 12 15 8 APO13.01 DSS05.02 CCI-000366 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.13.1.1 A.13.2.1 A.14.1.3 CM-6(a) SC-5(2) PR.PT-4 SRG-OS-000480-GPOS-00227 SV-230292r627750_rule SRG-OS-000341-VMM-001220 Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. part /var Ensure /var/log Located On Separate Partition System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. BP28(R12) BP28(R47) 1.1.11 1 12 14 15 16 3 5 6 8 APO11.04 APO13.01 BAI03.05 DSS05.02 DSS05.04 DSS05.07 MEA02.01 CCI-000366 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 CIP-007-3 R6.5 CM-6(a) AU-4 SC-5(2) PR.PT-1 PR.PT-4 SRG-OS-000480-GPOS-00227 SV-230293r627750_rule Placing /var/log in its own partition enables better separation between log files and other files in /var/. part /var/log Ensure /var/log/audit Located On Separate Partition Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. BP28(R43) 1.1.12 1 12 13 14 15 16 2 3 5 6 8 APO11.04 APO13.01 BAI03.05 BAI04.04 DSS05.02 DSS05.04 DSS05.07 MEA02.01 CCI-000366 CCI-001849 164.312(a)(2)(ii) 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4 SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.2 SR 7.6 A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.13.1.1 A.13.2.1 A.14.1.3 A.17.2.1 CIP-007-3 R6.5 CM-6(a) AU-4 SC-5(2) PR.DS-4 PR.PT-1 PR.PT-4 SRG-OS-000341-GPOS-00132 SRG-OS-000480-GPOS-00227 SV-230294r627750_rule SRG-OS-000341-VMM-001220 Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. part /var/log/audit Ensure /var/tmp Located On Separate Partition The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. BP28(R12) 1.1.7 SRG-OS-000480-GPOS-00227 SV-244529r743836_rule The /var/tmp partition is used as temporary storage by many programs. Placing /var/tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. part /var/tmp GNOME Desktop Environment GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user switching contexts as well as display server management. GNOME is developed by the GNOME Project and is considered the default Red Hat Graphical environment. For more information on GNOME and the GNOME Project, see https://www.gnome.org. Remove the GDM Package Group By removing the gdm package, the system no longer has GNOME installed installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: $ sudo yum remove gdm CM-7(a) CM-7(b) CM-6(a) SRG-OS-000480-GPOS-00227 Unnecessary service packages must not be installed to decrease the attack surface of the system. A graphical environment is unnecessary for certain types of systems including a virtualization hypervisor. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm; then # CAUTION: This remediation script will remove gdm # from the system, and may remove any packages # that depend on gdm. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "gdm" ; then yum remove -y "gdm" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_gdm_removed - name: Ensure gdm is removed package: name: gdm state: absent when: '"gdm" in ansible_facts.packages' tags: - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_gdm_removed include remove_gdm class remove_gdm { package { 'gdm': ensure => 'purged', } } package --remove=gdm Make sure that the dconf databases are up-to-date with regards to respective keyfiles By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command. 1.8.2 164.308(a)(1)(ii)(B) 164.308(a)(5)(ii)(A) SRG-OS-000480-GPOS-00227 Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi Configure GNOME3 DConf User Profile By default, DConf provides a standard user profile. This profile contains a list of DConf configuration databases. The user profile and database always take the highest priority. As such the DConf User profile should always exist and be configured correctly. To make sure that the user profile is configured correctly, the /etc/dconf/profile/user should be set as follows: user-db:user system-db:local system-db:site system-db:distro Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks. Configure GNOME Login Screen In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest account. The login screen should be configured to prevent such behavior. For more information about enforcing preferences in the GNOME3 environment using the DConf configuration system, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/> and the man page dconf(1). Disable the GNOME3 Login Restart and Shutdown Buttons In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability the ability to shutdown or restart the system. This functionality should be disabled by setting disable-restart-buttons to true. To disable, add or edit disable-restart-buttons to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] disable-restart-buttons=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/disable-restart-buttons After the settings have been set, run dconf update. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.2 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 CM-6(a) AC-6(1) CM-7(b) PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" DBDIR="/etc/dconf/db/gdm.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} printf '%s=%s\n' "disable-restart-buttons" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*disable-restart-buttons\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*disable-restart-buttons\\s*=\\s*.*/disable-restart-buttons=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-restart-buttons=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-restart-buttons$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/login-screen/disable-restart-buttons" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_restart_shutdown - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Disable the GNOME3 Login Restart and Shutdown Buttons ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: disable-restart-buttons value: 'true' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_restart_shutdown - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME disablement of Login Restart and Shutdown Buttons lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: ^/org/gnome/login-screen/disable-restart-buttons line: /org/gnome/login-screen/disable-restart-buttons create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_restart_shutdown - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_restart_shutdown - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy Disable the GNOME3 Login User List In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true. To disable, add or edit disable-user-list to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] disable-user-list=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/disable-user-list After the settings have been set, run dconf update. CM-6(a) AC-23 Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" DBDIR="/etc/dconf/db/gdm.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} printf '%s=%s\n' "disable-user-list" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-53-AC-23 - NIST-800-53-CM-6(a) - dconf_gnome_disable_user_list - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable the GNOME3 Login User List ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: disable-user-list value: 'true' no_extra_spaces: true create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-AC-23 - NIST-800-53-CM-6(a) - dconf_gnome_disable_user_list - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 disablement of Login User List lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: ^/org/gnome/login-screen/disable-user-list$ line: /org/gnome/login-screen/disable-user-list create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-AC-23 - NIST-800-53-CM-6(a) - dconf_gnome_disable_user_list - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-AC-23 - NIST-800-53-CM-6(a) - dconf_gnome_disable_user_list - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Enable the GNOME3 Login Smartcard Authentication In the default graphical environment, smart card authentication can be enabled on the login screen by setting enable-smartcard-authentication to true. To enable, add or edit enable-smartcard-authentication to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] enable-smartcard-authentication=true Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/enable-smartcard-authentication After the settings have been set, run dconf update. CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884 CCI-001948 CCI-001954 IA-2(3) IA-2(4) IA-2(8) IA-2(9) IA-2(11) Req-8.3 SRG-OS-000375-GPOS-00160 SRG-OS-000376-GPOS-00161 SRG-OS-000377-GPOS-00162 Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" DBDIR="/etc/dconf/db/gdm.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} printf '%s=%s\n' "enable-smartcard-authentication" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*enable-smartcard-authentication\\s*=\\s*.*/enable-smartcard-authentication=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/login-screen\\]|a\\enable-smartcard-authentication=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/login-screen/enable-smartcard-authentication$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/login-screen/enable-smartcard-authentication" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-53-IA-2(11) - NIST-800-53-IA-2(3) - NIST-800-53-IA-2(4) - NIST-800-53-IA-2(8) - NIST-800-53-IA-2(9) - PCI-DSS-Req-8.3 - dconf_gnome_enable_smartcard_auth - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Enable the GNOME3 Login Smartcard Authentication ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: enable-smartcard-authentication value: 'true' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-IA-2(11) - NIST-800-53-IA-2(3) - NIST-800-53-IA-2(4) - NIST-800-53-IA-2(8) - NIST-800-53-IA-2(9) - PCI-DSS-Req-8.3 - dconf_gnome_enable_smartcard_auth - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 disablement of Smartcard Authentication lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: ^/org/gnome/login-screen/enable-smartcard-authentication$ line: /org/gnome/login-screen/enable-smartcard-authentication create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-IA-2(11) - NIST-800-53-IA-2(3) - NIST-800-53-IA-2(4) - NIST-800-53-IA-2(8) - NIST-800-53-IA-2(9) - PCI-DSS-Req-8.3 - dconf_gnome_enable_smartcard_auth - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-IA-2(11) - NIST-800-53-IA-2(3) - NIST-800-53-IA-2(4) - NIST-800-53-IA-2(8) - NIST-800-53-IA-2(9) - PCI-DSS-Req-8.3 - dconf_gnome_enable_smartcard_auth - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Enable the GNOME3 Screen Locking On Smartcard Removal In the default graphical environment, screen locking on smartcard removal can be enabled by setting removal-action to 'lock-screen'. To enable, add or edit removal-action to /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/settings-daemon/peripherals/smartcard/removal-action After the settings have been set, run dconf update. CCI-000056 SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011 SV-230351r627750_rule Locking the screen automatically when removing the smartcard can prevent undesired access to system. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE} printf '%s=%s\n' "removal-action" "'lock-screen'" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")" if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - DISA-STIG-RHEL-08-020050 - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Detect if removal-action can be found on /etc/dconf/db/local.d/ find: path: /etc/dconf/db/local.d/ contains: ^\s*removal-action register: dconf_gnome_lock_screen_on_smartcard_removal_config_files when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-020050 - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Configure removal-action - default file ini_file: dest: /etc/dconf/db/local.d//00-security-settings section: org/gnome/settings-daemon/peripherals/smartcard option: removal-action value: '''lock-screen''' create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - dconf_gnome_lock_screen_on_smartcard_removal_config_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_config_files.matched == 0 tags: - DISA-STIG-RHEL-08-020050 - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Configure removal-action - existing files ini_file: dest: '{{ item.path }}' section: org/gnome/settings-daemon/peripherals/smartcard option: removal-action value: '''lock-screen''' create: true with_items: '{{ dconf_gnome_lock_screen_on_smartcard_removal_config_files.files }}' when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - dconf_gnome_lock_screen_on_smartcard_removal_config_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_config_files.matched > 0 tags: - DISA-STIG-RHEL-08-020050 - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Detect if lock for removal-action can be found on /etc/dconf/db/local.d/ find: path: /etc/dconf/db/local.d/locks contains: ^\s*removal-action register: dconf_gnome_lock_screen_on_smartcard_removal_lock_files when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-020050 - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification removal-action - default file lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$ line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - dconf_gnome_lock_screen_on_smartcard_removal_lock_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_lock_files.matched == 0 tags: - DISA-STIG-RHEL-08-020050 - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification removal-action - existing files lineinfile: path: '{{ item.path }}' regexp: ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$ line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action create: true with_items: '{{ dconf_gnome_lock_screen_on_smartcard_removal_lock_files.files }}' when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - dconf_gnome_lock_screen_on_smartcard_removal_lock_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_lock_files.matched > 0 tags: - DISA-STIG-RHEL-08-020050 - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update - removal-action command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-020050 - dconf_gnome_lock_screen_on_smartcard_removal - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Set the GNOME3 Login Number of Failures In the default graphical environment, the GNOME3 login screen and be configured to restart the authentication process after a configured number of attempts. This can be configured by setting allowed-failures to 3 or less. To enable, add or edit allowed-failures to /etc/dconf/db/gdm.d/00-security-settings. For example: [org/gnome/login-screen] allowed-failures=3 Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/login-screen/allowed-failures After the settings have been set, run dconf update. 3.1.8 FMT_MOF_EXT.1 Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" DBDIR="/etc/dconf/db/gdm.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} printf '%s=%s\n' "allowed-failures" "3" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "3")" if grep -q "^\\s*allowed-failures\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*allowed-failures\\s*=\\s*.*/allowed-failures=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/login-screen/allowed-failures" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.8 - dconf_gnome_login_retries - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Enable the GNOME3 Login Number of Failures ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: allowed-failures value: '3' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.8 - dconf_gnome_login_retries - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 Login Number of Failures lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: ^/org/gnome/login-screen/allowed-failures$ line: /org/gnome/login-screen/allowed-failures create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.8 - dconf_gnome_login_retries - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.8 - dconf_gnome_login_retries - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Disable GDM Automatic Login The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: [daemon] AutomaticLoginEnable=false 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.1 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(a) AC-6(1) CM-7(b) PR.IP-1 FIA_UAU.1 SRG-OS-000480-GPOS-00229 SV-230329r627750_rule Failure to restrict system access to authenticated users negatively impacts operating system security. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then if rpm --quiet -q gdm then if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf then sed -i "/^\[daemon\]/a \ AutomaticLoginEnable=False" /etc/gdm/custom.conf else sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - DISA-STIG-RHEL-08-010820 - NIST-800-171-3.1.1 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - gnome_gdm_disable_automatic_login - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Disable GDM Automatic Login ini_file: dest: /etc/gdm/custom.conf section: daemon option: AutomaticLoginEnable value: 'false' no_extra_spaces: true create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-010820 - NIST-800-171-3.1.1 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - gnome_gdm_disable_automatic_login - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy Disable GDM Guest Login The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the TimedLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: [daemon] TimedLoginEnable=false 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.1.1 CCI-000366 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-7(a) CM-7(b) CM-6(a) IA-2 PR.IP-1 FIA_UAU.1 SRG-OS-000480-GPOS-00229 Failure to restrict system access to authenticated users negatively impacts operating system security. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then if rpm --quiet -q gdm then if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf then sed -i "/^\[daemon\]/a \ TimedLoginEnable=False" /etc/gdm/custom.conf else sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=False/g" /etc/gdm/custom.conf fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.1 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-IA-2 - gnome_gdm_disable_guest_login - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Disable GDM Guest Login ini_file: dest: /etc/gdm/custom.conf section: daemon option: TimedLoginEnable value: 'false' no_extra_spaces: true create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.1 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - NIST-800-53-IA-2 - gnome_gdm_disable_guest_login - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy Disable XDMCP in GDM XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. XDMCP Gnome docs. To disable XDMCP support in Gnome, set Enable to false under the [xdmcp] configuration section in /etc/gdm/custom.conf. For example: [xdmcp] Enable=false XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using XDMCP, the privileged user password could be compromised due to typed XEvents and keystrokes will traversing over the network in clear text. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm; then # Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set # to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then sed -i 's/Enable[^(\n)]*/Enable=false/' '/etc/gdm/custom.conf' elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm/custom.conf'; then sed -i '/[[:space:]]*\[xdmcp]/a Enable=false' '/etc/gdm/custom.conf' else if test -d "/etc/gdm"; then printf '%s\n' '[xdmcp]' 'Enable=false' >> '/etc/gdm/custom.conf' else echo "Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability." >&2 fi fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - gnome_gdm_disable_xdmcp - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Disable XDMCP in GDM ini_file: path: /etc/gdm/custom.conf section: xdmcp option: Enable value: 'false' create: true mode: 420 when: '"gdm" in ansible_facts.packages' tags: - gnome_gdm_disable_xdmcp - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy GNOME Media Settings GNOME media settings that apply to the graphical interface. Disable GNOME3 Automounting The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount within GNOME3, add or set automount to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/media-handling] automount=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/media-handling/automount After the settings have been set, run dconf update. 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 3.1.7 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 CM-7(a) CM-7(b) CM-6(a) PR.AC-3 PR.AC-6 Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} printf '%s=%s\n' "automount" "false" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" if grep -q "^\\s*automount\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/media-handling/automount" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_automount - low_complexity - medium_disruption - no_reboot_needed - unknown_severity - unknown_strategy - name: Disable GNOME3 Automounting - automount ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount value: 'false' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_automount - low_complexity - medium_disruption - no_reboot_needed - unknown_severity - unknown_strategy - name: Prevent user modification of GNOME3 Automounting - automount lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/media-handling/automount$ line: /org/gnome/desktop/media-handling/automount create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_automount - low_complexity - medium_disruption - no_reboot_needed - unknown_severity - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_automount - low_complexity - medium_disruption - no_reboot_needed - unknown_severity - unknown_strategy Disable GNOME3 Automount Opening The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount-open within GNOME3, add or set automount-open to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/media-handling] automount-open=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/media-handling/automount-open After the settings have been set, run dconf update. 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 3.1.7 CCI-001958 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 CM-7(a) CM-7(b) CM-6(a) PR.AC-3 PR.AC-6 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 SRG-OS-000480-GPOS-00227 Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} printf '%s=%s\n' "automount-open" "false" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" if grep -q "^\\s*automount-open\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_automount_open - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable GNOME3 Automounting - automount-open ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount-open value: 'false' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_automount_open - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 Automounting - automount-open lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/media-handling/automount-open$ line: /org/gnome/desktop/media-handling/automount-open create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_automount_open - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_automount_open - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Disable GNOME3 Automount running The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable autorun-never within GNOME3, add or set autorun-never to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/media-handling] autorun-never=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/media-handling/autorun-never After the settings have been set, run dconf update. 12 16 APO13.01 DSS01.04 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.03 3.1.7 CCI-001958 4.3.3.2.2 4.3.3.5.2 4.3.3.6.6 4.3.3.7.2 4.3.3.7.4 SR 1.1 SR 1.13 SR 1.2 SR 1.4 SR 1.5 SR 1.9 SR 2.1 SR 2.6 A.11.2.6 A.13.1.1 A.13.2.1 A.6.2.1 A.6.2.2 A.7.1.1 A.9.2.1 CM-7(a) CM-7(b) CM-6(a) PR.AC-3 PR.AC-6 SRG-OS-000114-GPOS-00059 SRG-OS-000378-GPOS-00163 SRG-OS-000480-GPOS-00227 Disabling automatic mount running in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} printf '%s=%s\n' "autorun-never" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_autorun - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable GNOME3 Automounting - autorun-never ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: autorun-never value: 'true' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_autorun - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 Automounting - autorun-never lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/media-handling/autorun-never$ line: /org/gnome/desktop/media-handling/autorun-never create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_autorun - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.7 - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_autorun - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Disable All GNOME3 Thumbnailers The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. To disable the execution of these thumbnail applications, add or set disable-all to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/thumbnailers] disable-all=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/thumbnailers/disable-all After the settings have been set, run dconf update. This effectively prevents an attacker from gaining access to a system through a flaw in GNOME3's Nautilus thumbnail creators. 11 14 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2 CM-7(a) CM-7(b) CM-6(a) PR.IP-1 PR.PT-3 An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/thumbnailers\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/thumbnailers]" >> ${DCONFFILE} printf '%s=%s\n' "disable-all" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*disable-all\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*disable-all\\s*=\\s*.*/disable-all=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/thumbnailers\\]|a\\disable-all=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/thumbnailers/disable-all$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/thumbnailers/disable-all" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_thumbnailers - low_complexity - medium_disruption - no_reboot_needed - unknown_severity - unknown_strategy - name: Disable All GNOME3 Thumbnailers ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/thumbnailers option: disable-all value: 'true' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_thumbnailers - low_complexity - medium_disruption - no_reboot_needed - unknown_severity - unknown_strategy - name: Prevent user modification of GNOME3 Thumbnailers lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/thumbnailers/disable-all$ line: /org/gnome/desktop/thumbnailers/disable-all create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_thumbnailers - low_complexity - medium_disruption - no_reboot_needed - unknown_severity - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_thumbnailers - low_complexity - medium_disruption - no_reboot_needed - unknown_severity - unknown_strategy GNOME Network Settings GNOME network settings that apply to the graphical interface. Disable WIFI Network Connection Creation in GNOME3 GNOME allows users to create ad-hoc wireless connections through the NetworkManager applet. Wireless connections should be disabled by adding or setting disable-wifi-create to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/nm-applet] disable-wifi-create=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/nm-applet/disable-wifi-create After the settings have been set, run dconf update. 3.1.16 Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE} printf '%s=%s\n' "disable-wifi-create" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*disable-wifi-create\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/nm-applet/disable-wifi-create" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.16 - dconf_gnome_disable_wifi_create - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable WiFi Network Connection Creation in GNOME3 ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/nm-applet option: disable-wifi-create value: 'true' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.16 - dconf_gnome_disable_wifi_create - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 disablement of WiFi lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/nm-applet/disable-wifi-create$ line: /org/gnome/nm-applet/disable-wifi-create create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.16 - dconf_gnome_disable_wifi_create - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.16 - dconf_gnome_disable_wifi_create - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Disable WIFI Network Notification in GNOME3 By default, GNOME disables WIFI notification. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, add or set suppress-wireless-networks-available to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/nm-applet] suppress-wireless-networks-available=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/nm-applet/suppress-wireless-networks-available After the settings have been set, run dconf update. 3.1.16 Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE} printf '%s=%s\n' "suppress-wireless-networks-available" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/nm-applet/suppress-wireless-networks-available" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.16 - dconf_gnome_disable_wifi_notification - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable WiFi Network Notification in GNOME3 ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/nm-applet option: suppress-wireless-networks-available value: 'true' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.16 - dconf_gnome_disable_wifi_notification - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 disablement of WiFi lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/nm-applet/suppress-wireless-networks-available$ line: /org/gnome/nm-applet/suppress-wireless-networks-available create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.16 - dconf_gnome_disable_wifi_notification - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.16 - dconf_gnome_disable_wifi_notification - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy GNOME Remote Access Settings GNOME remote access settings that apply to the graphical interface. Require Credential Prompting for Remote Access in GNOME3 By default, GNOME does not require credentials when using Vino for remote access. To configure the system to require remote credentials, add or set authentication-methods to ['vnc'] in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/Vino] authentication-methods=['vnc'] Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/Vino/authentication-methods After the settings have been set, run dconf update. 3.1.12 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE} printf '%s=%s\n' "authentication-methods" "['vnc']" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")" if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.12 - dconf_gnome_remote_access_credential_prompt - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Require Credential Prompting for Remote Access in GNOME3 ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/Vino option: authentication-methods value: '[''vnc'']' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.12 - dconf_gnome_remote_access_credential_prompt - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 Credential Prompting for Remote Access lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/Vino/authentication-methods$ line: /org/gnome/Vino/authentication-methods create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.12 - dconf_gnome_remote_access_credential_prompt - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.12 - dconf_gnome_remote_access_credential_prompt - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Require Encryption for Remote Access in GNOME3 By default, GNOME requires encryption when using Vino for remote access. To prevent remote access encryption from being disabled, add or set require-encryption to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/Vino] require-encryption=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/Vino/require-encryption After the settings have been set, run dconf update. 1 11 12 13 15 16 18 20 3 4 6 9 BAI03.08 BAI07.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS03.01 3.1.13 CCI-000366 164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii) 4.3.4.3.2 4.3.4.3.3 4.4.3.3 SR 7.6 A.12.1.1 A.12.1.2 A.12.1.4 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-6(a) AC-17(a) AC-17(2) DE.AE-1 PR.DS-7 PR.IP-1 SRG-OS-000480-GPOS-00227 Open X displays allow an attacker to capture keystrokes and to execute commands remotely. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE} printf '%s=%s\n' "require-encryption" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*require-encryption\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*require-encryption\\s*=\\s*.*/require-encryption=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/Vino\\]|a\\require-encryption=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/Vino/require-encryption$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/Vino/require-encryption" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.13 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - dconf_gnome_remote_access_encryption - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Require Encryption for Remote Access in GNOME3 ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/Vino option: require-encryption value: 'true' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.13 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - dconf_gnome_remote_access_encryption - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME3 Encryption for Remote Access lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/Vino/require-encryption$ line: /org/gnome/Vino/require-encryption create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.13 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - dconf_gnome_remote_access_encryption - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.13 - NIST-800-53-AC-17(2) - NIST-800-53-AC-17(a) - NIST-800-53-CM-6(a) - dconf_gnome_remote_access_encryption - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Configure GNOME Screen Locking In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting Lock. The following sections detail commands to enforce idle activation of the screensaver, screen locking, a blank-screen screensaver, and an idle activation time. Because users should be trained to lock the screen when they step away from the computer, the automatic locking feature is only meant as a backup. The root account can be screen-locked; however, the root account should never be used to log into an X Windows environment and should only be used to for direct login via console in emergency circumstances. For more information about enforcing preferences in the GNOME3 environment using the DConf configuration system, see http://wiki.gnome.org/dconf and the man page dconf(1). Screensaver Inactivity timeout Choose allowed duration (in seconds) of inactive graphical sessions 600 900 1800 300 900 Screensaver Lock Delay Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt 10 5 0 0 Enable GNOME3 Screensaver Idle Activation To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set idle-activation-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] idle-activation-enabled=true Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/idle-activation-enabled After the settings have been set, run dconf update. 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 CM-6(a) AC-11(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} printf '%s=%s\n' "idle-activation-enabled" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*idle-activation-enabled\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Enable GNOME3 Screensaver Idle Activation ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver option: idle-activation-enabled value: 'true' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME idle-activation-enabled lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled$ line: /org/gnome/desktop/screensaver/idle-activation-enabled create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_activation_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Ensure Users Cannot Change GNOME3 Screensaver Idle Activation If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/idle-activation-enabled to /etc/dconf/db/local.d/00-security-settings. For example: /org/gnome/desktop/screensaver/idle-activation-enabled After the settings have been set, run dconf update. 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 CM-6(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm; then # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_activation_locked - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME Screensaver idle-activation-enabled lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled$ line: /org/gnome/desktop/screensaver/idle-activation-enabled create: true when: '"gdm" in ansible_facts.packages' tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_activation_locked - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: '"gdm" in ansible_facts.packages' tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_activation_locked - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Set GNOME3 Screensaver Inactivity Timeout The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification. For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: [org/gnome/desktop/session] idle-delay=uint32 900 Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/session/idle-delay After the settings have been set, run dconf update. 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) CM-6(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 SV-230352r646876_rule A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then inactivity_timeout_value="" # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE} printf '%s=%s\n' "idle-delay" "uint32 ${inactivity_timeout_value}" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")" if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020060 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: XCCDF Value inactivity_timeout_value # promote to variable set_fact: inactivity_timeout_value: !!str tags: - always - name: Set GNOME3 Screensaver Inactivity Timeout ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/session option: idle-delay value: uint32 {{ inactivity_timeout_value }} create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020060 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME idle-delay lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/session/idle-delay$ line: /org/gnome/desktop/session/idle-delay create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020060 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020060 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_idle_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Set GNOME3 Screensaver Lock Delay After Activation Period To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] lock-delay=uint32 Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-delay After the settings have been set, run dconf update. 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000056 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(a) CM-6(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then var_screensaver_lock_delay="" # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} printf '%s=%s\n' "lock-delay" "uint32 ${var_screensaver_lock_delay}" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")" if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Set GNOME3 Screensaver Lock Delay After Activation Period ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver option: lock-delay value: uint32 5 create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME lock-delay lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/lock-delay$ line: /org/gnome/desktop/screensaver/lock-delay create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.10 - NIST-800-53-AC-11(a) - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_delay - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Enable GNOME3 Screensaver Lock After Idle Period To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] lock-enabled=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-enabled After the settings have been set, run dconf update. 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000056 CCI-000058 CCI-000060 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 CM-6(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000028-GPOS-00009 SRG-OS-000030-GPOS-00011 SV-230347r627750_rule A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} printf '%s=%s\n' "lock-enabled" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020030 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_distribution == 'SLES' tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020030 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Enable GNOME3 Screensaver Lock After Idle Period ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver option: lock-enabled value: 'true' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020030 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME lock-enabled lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/lock-enabled$ line: /org/gnome/desktop/screensaver/lock-enabled create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020030 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Check GNOME3 screenserver disable-lock-screen false command: gsettings get org.gnome.desktop.lockdown disable-lock-screen register: cmd_out when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_distribution == 'SLES' tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020030 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Update GNOME3 screenserver disable-lock-screen false command: gsettings set org.gnome.desktop.lockdown disable-lock-screen false when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - ansible_distribution == 'SLES' tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020030 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - DISA-STIG-RHEL-08-020030 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_enabled - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-enabled to /etc/dconf/db/local.d/00-security-settings. For example: /org/gnome/desktop/screensaver/lock-enabled After the settings have been set, run dconf update. 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000056 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 CM-6(a) PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000029-GPOS-00010 A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm; then # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_locked - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME Screensaver lock-enabled lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/lock-enabled$ line: /org/gnome/desktop/screensaver/lock-enabled create: true when: '"gdm" in ansible_facts.packages' tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_locked - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: '"gdm" in ansible_facts.packages' tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_lock_locked - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Implement Blank Screensaver To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] picture-uri='' Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/picture-uri After the settings have been set, run dconf update. 1 12 15 16 5.5.5 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000060 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 AC-11(1) CM-6(a) AC-11(1).1 PR.AC-7 FMT_MOF_EXT.1 Req-8.1.8 SRG-OS-000031-GPOS-00012 Setting the screensaver mode to blank-only conceals the contents of the display from passersby. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} printf '%s=%s\n' "picture-uri" "string ''" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")" if grep -q "^\\s*picture-uri\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/screensaver/picture-uri" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(1) - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Implement Blank Screensaver ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver option: picture-uri value: string '' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(1) - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME picture-uri lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/picture-uri$ line: /org/gnome/desktop/screensaver/picture-uri create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(1) - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - CJIS-5.5.5 - NIST-800-171-3.1.10 - NIST-800-53-AC-11(1) - NIST-800-53-AC-11(1).1 - NIST-800-53-CM-6(a) - PCI-DSS-Req-8.1.8 - dconf_gnome_screensaver_mode_blank - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Disable Full User Name on Splash Shield By default when the screen is locked, the splash shield will show the user's full name. This should be disabled to prevent casual observers from seeing who has access to the system. This can be disabled by adding or setting show-full-name-in-top-bar to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/screensaver] show-full-name-in-top-bar=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/show-full-name-in-top-bar After the settings have been set, run dconf update. FMT_MOF_EXT.1 Setting the splash screen to not reveal the logged in user's name conceals who has access to the system from passersby. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} printf '%s=%s\n' "show-full-name-in-top-bar" "false" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/screensaver/show-full-name-in-top-bar" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - dconf_gnome_screensaver_user_info - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable Full Username on Splash Screen ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/screensaver option: show-full-name-in-top-bar value: 'false' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - dconf_gnome_screensaver_user_info - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME show-full-name-in-top-bar lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$ line: /org/gnome/desktop/screensaver/show-full-name-in-top-bar create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - dconf_gnome_screensaver_user_info - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - dconf_gnome_screensaver_user_info - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Ensure Users Cannot Change GNOME3 Screensaver Settings If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/screensaver/lock-delay After the settings have been set, run dconf update. 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 CM-6(a) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000029-GPOS-00010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - dconf_gnome_screensaver_user_locks - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME lock-delay lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/screensaver/lock-delay$ line: /org/gnome/desktop/screensaver/lock-delay create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - dconf_gnome_screensaver_user_locks - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - dconf_gnome_screensaver_user_locks - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Ensure Users Cannot Change GNOME3 Session Idle Settings If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/session/idle-delay After the settings have been set, run dconf update. 1 12 15 16 DSS05.04 DSS05.10 DSS06.10 3.1.10 CCI-000057 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3 CM-6(a) PR.AC-7 FMT_MOF_EXT.1 SRG-OS-000029-GPOS-00010 A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - dconf_gnome_session_idle_user_locks - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME Session idle-delay lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/session/idle-delay$ line: /org/gnome/desktop/session/idle-delay create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - dconf_gnome_session_idle_user_locks - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.10 - NIST-800-53-CM-6(a) - dconf_gnome_session_idle_user_locks - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy GNOME System Settings GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform actions that users normally would not be able to do in non-graphical mode such as remote access configuration, power policies, Geo-location, etc. Configuring such settings in GNOME will prevent accidential graphical configuration changes by users from taking place. Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed. To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to '' in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/settings-daemon/plugins/media-keys] logout='' Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/settings-daemon/plugins/media-keys/logout After the settings have been set, run dconf update. 12 13 14 15 16 18 3 5 APO01.06 DSS05.04 DSS05.07 DSS06.02 3.1.2 CCI-000366 4.3.3.7.3 SR 2.1 SR 5.2 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 CM-6(a) AC-6(1) CM-7(b) PR.AC-4 PR.DS-5 SRG-OS-000480-GPOS-00227 SV-230530r646883_rule A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE} printf '%s=%s\n' "logout" "''" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "''")" if grep -q "^\\s*logout\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - DISA-STIG-RHEL-08-040171 - NIST-800-171-3.1.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_ctrlaltdel_reboot - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/settings-daemon/plugins/media-keys option: logout value: '''''' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-040171 - NIST-800-171-3.1.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_ctrlaltdel_reboot - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME disablement of Ctrl-Alt-Del lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/settings-daemon/plugins/media-keys/logout$ line: /org/gnome/settings-daemon/plugins/media-keys/logout create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-040171 - NIST-800-171-3.1.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_ctrlaltdel_reboot - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - DISA-STIG-RHEL-08-040171 - NIST-800-171-3.1.2 - NIST-800-53-AC-6(1) - NIST-800-53-CM-6(a) - NIST-800-53-CM-7(b) - dconf_gnome_disable_ctrlaltdel_reboot - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy Disable Geolocation in GNOME3 GNOME allows the clock and applications to track and access location information. This setting should be disabled as applications should not track system location. To configure the system to disable location tracking, add or set enabled to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/system/location] enabled=false To configure the clock to disable location tracking, add or set geolocation to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/clocks] geolocation=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/system/location/enabled /org/gnome/clocks/geolocation After the settings have been set, run dconf update. Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/system/location\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/system/location]" >> ${DCONFFILE} printf '%s=%s\n' "enabled" "false" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" if grep -q "^\\s*enabled\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*enabled\\s*=\\s*.*/enabled=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/system/location\\]|a\\enabled=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/clocks\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/clocks]" >> ${DCONFFILE} printf '%s=%s\n' "geolocation" "false" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" if grep -q "^\\s*geolocation\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*geolocation\\s*=\\s*.*/geolocation=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/clocks\\]|a\\geolocation=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/system/location/enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/system/location/enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/clocks/geolocation$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/clocks/geolocation" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - dconf_gnome_disable_geolocation - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable Geolocation in GNOME3 - location tracking ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/system/location option: enabled value: 'false' create: true no_extra_spaces: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - dconf_gnome_disable_geolocation - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Disable Geolocation in GNOME3 - clock location tracking ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/clocks option: gelocation value: 'false' create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - dconf_gnome_disable_geolocation - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME geolocation - location tracking lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/system/location/enabled$ line: /org/gnome/system/location/enabled create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - dconf_gnome_disable_geolocation - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Prevent user modification of GNOME geolocation - clock location tracking lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/clocks/geolocation$ line: /org/gnome/clocks/geolocation create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - dconf_gnome_disable_geolocation - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy - name: Dconf Update command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - dconf_gnome_disable_geolocation - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Disable Power Settings in GNOME3 By default, GNOME enables a power profile designed for mobile devices with battery usage. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the power setting, add or set active to false in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/settings-daemon/plugins/power] active=false Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/settings-daemon/plugins/power After the settings have been set, run dconf update. Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. Disable User Administration in GNOME3 By default, GNOME will allow all users to have some administratrion capability. This should be disabled so that non-administrative users are not making configuration changes. To configure the system to disable user administration capability in the Graphical User Interface (GUI), add or set user-administration-disabled to true in /etc/dconf/db/local.d/00-security-settings. For example: [org/gnome/desktop/lockdown] user-administration-disabled=true Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: /org/gnome/desktop/lockdown/user-administration-disabled After the settings have been set, run dconf update. 3.1.5 FMT_MOD_EXT.1 Allowing all users to have some administratrive capabilities to the system through the Graphical User Interface (GUI) when they would not have them otherwise could allow unintended configuration changes as well as a nefarious user the capability to make system changes such as adding new accounts, etc. # Remediation is applicable only in certain platforms if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then # Check for setting in any of the DConf db directories # If files contain ibus or distro, ignore them. # The assignment assumes that individual filenames don't contain : readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/lockdown\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) DCONFFILE="/etc/dconf/db/local.d/00-security-settings" DBDIR="/etc/dconf/db/local.d" mkdir -p "${DBDIR}" if [ "${#SETTINGSFILES[@]}" -eq 0 ] then [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} printf '%s\n' "[org/gnome/desktop/lockdown]" >> ${DCONFFILE} printf '%s=%s\n' "user-administration-disabled" "true" >> ${DCONFFILE} else escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" if grep -q "^\\s*user-administration-disabled\\s*=" "${SETTINGSFILES[@]}" then sed -i "s/\\s*user-administration-disabled\\s*=\\s*.*/user-administration-disabled=${escaped_value}/g" "${SETTINGSFILES[@]}" else sed -i "\\|\\[org/gnome/desktop/lockdown\\]|a\\user-administration-disabled=${escaped_value}" "${SETTINGSFILES[@]}" fi fi dconf update # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/org/gnome/desktop/lockdown/user-administration-disabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/local.d/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/org/gnome/desktop/lockdown/user-administration-disabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" fi dconf update else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - NIST-800-171-3.1.5 - dconf_gnome_disable_user_admin - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Detect if user-administration-disabled can be found on /etc/dconf/db/local.d/ find: path: /etc/dconf/db/local.d/ contains: ^\s*user-administration-disabled register: dconf_gnome_disable_user_admin_config_files when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.5 - dconf_gnome_disable_user_admin - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Configure user-administration-disabled - default file ini_file: dest: /etc/dconf/db/local.d//00-security-settings section: org/gnome/desktop/lockdown option: user-administration-disabled value: 'true' create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - dconf_gnome_disable_user_admin_config_files is defined and dconf_gnome_disable_user_admin_config_files.matched == 0 tags: - NIST-800-171-3.1.5 - dconf_gnome_disable_user_admin - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Configure user-administration-disabled - existing files ini_file: dest: '{{ item.path }}' section: org/gnome/desktop/lockdown option: user-administration-disabled value: 'true' create: true with_items: '{{ dconf_gnome_disable_user_admin_config_files.files }}' when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - dconf_gnome_disable_user_admin_config_files is defined and dconf_gnome_disable_user_admin_config_files.matched > 0 tags: - NIST-800-171-3.1.5 - dconf_gnome_disable_user_admin - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Detect if lock for user-administration-disabled can be found on /etc/dconf/db/local.d/ find: path: /etc/dconf/db/local.d/locks contains: ^\s*user-administration-disabled register: dconf_gnome_disable_user_admin_lock_files when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.5 - dconf_gnome_disable_user_admin - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Prevent user modification user-administration-disabled - default file lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: ^/org/gnome/desktop/lockdown/user-administration-disabled$ line: /org/gnome/desktop/lockdown/user-administration-disabled create: true when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - dconf_gnome_disable_user_admin_lock_files is defined and dconf_gnome_disable_user_admin_lock_files.matched == 0 tags: - NIST-800-171-3.1.5 - dconf_gnome_disable_user_admin - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Prevent user modification user-administration-disabled - existing files lineinfile: path: '{{ item.path }}' regexp: ^/org/gnome/desktop/lockdown/user-administration-disabled$ line: /org/gnome/desktop/lockdown/user-administration-disabled create: true with_items: '{{ dconf_gnome_disable_user_admin_lock_files.files }}' when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] - dconf_gnome_disable_user_admin_lock_files is defined and dconf_gnome_disable_user_admin_lock_files.matched > 0 tags: - NIST-800-171-3.1.5 - dconf_gnome_disable_user_admin - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Dconf Update - user-administration-disabled command: dconf update when: - '"gdm" in ansible_facts.packages' - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-171-3.1.5 - dconf_gnome_disable_user_admin - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy SAP Specific Requirement SAP (Systems, Applications and Products in Data Processing) is enterprise software to manage business operations and customer relations. The following section contains SAP specific requirement that is not part of standard or common OS setting. Sudo Sudo, which stands for "su 'do'", provides the ability to delegate authority to certain users, groups of users, or system administrators. When configured for system users and/or groups, Sudo can allow a user or group to execute privileged commands that normally only root is allowed to execute. For more information on Sudo and addition Sudo configuration options, see https://www.sudo.ws. Group name dedicated to the use of sudo Specify the name of the group that should own /usr/bin/sudo. root sudogrp Sudo - logfile value Specify the sudo logfile to use. The default value used here matches the example location from CIS, which uses /var/log/sudo.log. /var/log/sudo.log /var/log/sudo.log Sudo - passwd_timeout value Defines the number of minutes before the sudo password prompt times out. Defining 0 means no timeout. The default timeout value is 5 minutes. 5 0 1 2 3 5 Sudo - timestamp_timeout value Defines the number of minutes that can elapse before sudo will ask for a passwd again. If set to a value less than 0 the user's time stamp will never expire. Defining 0 means always prompt for a password. The default timeout value is 5 minutes. 5 0 1 2 3 5 15 Sudo - umask value Specify the sudo umask to use. The actual umask value that is used is the union of the user's umask and the sudo umask. The default sudo umask is 0022. This guarantess sudo never lowers the umask when running a command. 0022 0022 0027 Install sudo Package The sudo package can be installed with the following command: $ sudo yum install sudo BP28(R19) 1.3.1 1382 1384 1386 CM-6(a) SRG-OS-000324-GPOS-00125 sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done. # Remediation is applicable only in certain platforms if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then if ! rpm -q --quiet "sudo" ; then yum install -y "sudo" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Ensure sudo is installed package: name: sudo state: present when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] tags: - NIST-800-53-CM-6(a) - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_sudo_installed include install_sudo class install_sudo { package { 'sudo': ensure => 'installed', } } package --add=sudo [[packages]] name = "sudo" version = "*" Ensure sudo Runs In A Minimal Environment - sudo env_reset The sudo env_reset tag, when specified, will run the command in a minimal environment, containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables. On Red Hat Enterprise Linux 8, env_reset is enabled by default This should be enabled by making sure that the env_reset tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. BP28(R58) Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information. if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults.*\benv_reset\b.*$' /etc/sudoers; then # sudoers file doesn't define Option env_reset echo "Defaults env_reset" >> /etc/sudoers fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - name: Ensure env_reset is enabled in /etc/sudoers lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults.*\benv_reset\b.*$ line: Defaults env_reset validate: /usr/sbin/visudo -cf %s tags: - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_add_env_reset Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot The sudo ignore_dot tag, when specified, will ignore the current directory in the PATH environment variable. On Red Hat Enterprise Linux 8, env_reset is enabled by default This should be enabled by making sure that the ignore_dot tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. BP28(R58) Ignoring the commands in the user's current directory prevents an attacker from executing commands downloaded locally. if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults.*\bignore_dot\b.*$' /etc/sudoers; then # sudoers file doesn't define Option ignore_dot echo "Defaults ignore_dot" >> /etc/sudoers fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - name: Ensure ignore_dot is enabled in /etc/sudoers lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults.*\bignore_dot\b.*$ line: Defaults ignore_dot validate: /usr/sbin/visudo -cf %s tags: - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_add_ignore_dot Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC The sudo NOEXEC tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the NOEXEC tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. BP28(R58) Restricting the capability of sudo allowed commands to execute sub-commands prevents users from running programs with privileges they wouldn't have otherwise. if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults.*\bnoexec\b.*$' /etc/sudoers; then # sudoers file doesn't define Option noexec echo "Defaults noexec" >> /etc/sudoers fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - name: Ensure noexec is enabled in /etc/sudoers lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults.*\bnoexec\b.*$ line: Defaults noexec validate: /usr/sbin/visudo -cf %s tags: - high_severity - low_complexity - low_disruption - no_reboot_needed - restrict_strategy - sudo_add_noexec Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout The sudo passwd_timeout tag sets the amount of time sudo password prompt waits. On Red Hat Enterprise Linux 8, the default passwd_timeout value is 5 minutes. The passwd_timeout should be configured by making sure that the passwd_timeout=sub_var_value("var_sudo_passwd_timeout") tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. BP28(R58) Reducing the time sudo waits for a a password reduces the time the process is exposed. var_sudo_passwd_timeout="" if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults.*\bpasswd_timeout=\w+\b\b.*$' /etc/sudoers; then # sudoers file doesn't define Option passwd_timeout echo "Defaults passwd_timeout=${var_sudo_passwd_timeout}" >> /etc/sudoers else # sudoers file defines Option passwd_timeout, remediate if appropriate value is not set if ! grep -P "^[\s]*Defaults.*\bpasswd_timeout=${var_sudo_passwd_timeout}\b.*$" /etc/sudoers; then sed -Ei "s/(^[\s]*Defaults.*\bpasswd_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_passwd_timeout}\2/" /etc/sudoers fi fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - name: XCCDF Value var_sudo_passwd_timeout # promote to variable set_fact: var_sudo_passwd_timeout: !!str tags: - always - name: Ensure passwd_timeout is enabled with the appropriate value in /etc/sudoers lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults\s(.*)\bpasswd_timeout=[-]?\w+\b(.*)$ line: Defaults \1passwd_timeout={{ var_sudo_passwd_timeout }}\2 validate: /usr/sbin/visudo -cf %s backrefs: true register: edit_sudoers_passwd_timeout_option tags: - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_add_passwd_timeout - name: Enable passwd_timeout option with appropriate value in /etc/sudoers lineinfile: path: /etc/sudoers line: Defaults passwd_timeout={{ var_sudo_passwd_timeout }} validate: /usr/sbin/visudo -cf %s when: edit_sudoers_passwd_timeout_option is defined and not edit_sudoers_passwd_timeout_option.changed tags: - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_add_passwd_timeout Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty The sudo requiretty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the requiretty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. BP28(R58) Restricting the use cases in which a user is allowed to execute sudo commands reduces the attack surface. if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults.*\brequiretty\b.*$' /etc/sudoers; then # sudoers file doesn't define Option requiretty echo "Defaults requiretty" >> /etc/sudoers fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - name: Ensure requiretty is enabled in /etc/sudoers lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults.*\brequiretty\b.*$ line: Defaults requiretty validate: /usr/sbin/visudo -cf %s tags: - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_add_requiretty Ensure sudo umask is appropriate - sudo umask The sudo umask tag, when specified, will be added the to the user's umask in the command environment. On Red Hat Enterprise Linux 8, the default umask value is 0022. The umask should be configured by making sure that the umask=sub_var_value("var_sudo_umask") tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. BP28(R58) The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. var_sudo_umask="" if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults.*\bumask=\w+\b\b.*$' /etc/sudoers; then # sudoers file doesn't define Option umask echo "Defaults umask=${var_sudo_umask}" >> /etc/sudoers else # sudoers file defines Option umask, remediate if appropriate value is not set if ! grep -P "^[\s]*Defaults.*\bumask=${var_sudo_umask}\b.*$" /etc/sudoers; then sed -Ei "s/(^[\s]*Defaults.*\bumask=)[-]?\w+(\b.*$)/\1${var_sudo_umask}\2/" /etc/sudoers fi fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - name: XCCDF Value var_sudo_umask # promote to variable set_fact: var_sudo_umask: !!str tags: - always - name: Ensure umask is enabled with the appropriate value in /etc/sudoers lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults\s(.*)\bumask=[-]?\w+\b(.*)$ line: Defaults \1umask={{ var_sudo_umask }}\2 validate: /usr/sbin/visudo -cf %s backrefs: true register: edit_sudoers_umask_option tags: - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_add_umask - name: Enable umask option with appropriate value in /etc/sudoers lineinfile: path: /etc/sudoers line: Defaults umask={{ var_sudo_umask }} validate: /usr/sbin/visudo -cf %s when: edit_sudoers_umask_option is defined and not edit_sudoers_umask_option.changed tags: - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_add_umask Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty The sudo use_pty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the use_pty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. BP28(R58) 1.3.2 Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing. if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults.*\buse_pty\b.*$' /etc/sudoers; then # sudoers file doesn't define Option use_pty echo "Defaults use_pty" >> /etc/sudoers fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - name: Ensure use_pty is enabled in /etc/sudoers lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults.*\buse_pty\b.*$ line: Defaults use_pty validate: /usr/sbin/visudo -cf %s tags: - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_add_use_pty Ensure Sudo Logfile Exists - sudo logfile A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log. 1.3.3 A sudo log file simplifies auditing of sudo commands. var_sudo_logfile="" if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults.*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b)\b.*$' /etc/sudoers; then # sudoers file doesn't define Option logfile echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers else # sudoers file defines Option logfile, remediate if appropriate value is not set if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?\w+(\b.*$)/\1${var_sudo_logfile}\2/" /etc/sudoers fi fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - name: XCCDF Value var_sudo_logfile # promote to variable set_fact: var_sudo_logfile: !!str tags: - always - name: Ensure logfile is enabled with the appropriate value in /etc/sudoers lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults\s(.*)\blogfile=[-]?\w+\b(.*)$ line: Defaults \1logfile={{ var_sudo_logfile }}\2 validate: /usr/sbin/visudo -cf %s backrefs: true register: edit_sudoers_logfile_option tags: - low_complexity - low_disruption - low_severity - no_reboot_needed - restrict_strategy - sudo_custom_logfile - name: Enable logfile option with appropriate value in /etc/sudoers lineinfile: path: /etc/sudoers line: Defaults logfile={{ var_sudo_logfile }} validate: /usr/sbin/visudo -cf %s when: edit_sudoers_logfile_option is defined and not edit_sudoers_logfile_option.changed tags: - low_complexity - low_disruption - low_severity - no_reboot_needed - restrict_strategy - sudo_custom_logfile Ensure a dedicated group owns sudo Restrict the execution of privilege escalated commands to a dedicated group of users. Ensure the group owner of /usr/bin/sudo is . Changing group owner of /usr/bin/sudo to a group with no member users will prevent any and all escalatation of privileges. Additionally, the system may become unmanageable if root logins are not allowed. This rule doesn't come with a remediation, before remediating the sysadmin needs to add users to the dedicated sudo group. BP28(R57) Restricting the set of users able to execute commands as privileged user reduces the attack surface. Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. BP28(R5) BP28(R59) 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 CCI-002038 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 CM-6(a) PR.AC-1 PR.AC-7 SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 SV-230272r627750_rule SRG-OS-000373-VMM-001470 SRG-OS-000373-VMM-001480 SRG-OS-000373-VMM-001490 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do # comment out "!authenticate" matches to preserve user data sed -i "s/^${entry}$/# &/g" $f done <<< "$matching_list" /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" fi done - name: Find /etc/sudoers.d/ files find: paths: - /etc/sudoers.d/ register: sudoers tags: - DISA-STIG-RHEL-08-010381 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_remove_no_authenticate - name: Remove lines containing !authenticate from sudoers files replace: regexp: (^(?!#).*[\s]+\!authenticate.*$) replace: '# \g<1>' path: '{{ item.path }}' validate: /usr/sbin/visudo -cf %s with_items: - path: /etc/sudoers - '{{ sudoers.files }}' tags: - DISA-STIG-RHEL-08-010381 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_remove_no_authenticate Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. BP28(R5) BP28(R59) 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 CCI-002038 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 CM-6(a) PR.AC-1 PR.AC-7 SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158 SV-230271r627750_rule SRG-OS-000373-VMM-001470 SRG-OS-000373-VMM-001480 SRG-OS-000373-VMM-001490 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do # comment out "NOPASSWD" matches to preserve user data sed -i "s/^${entry}$/# &/g" $f done <<< "$matching_list" /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" fi done - name: Find /etc/sudoers.d/ files find: paths: - /etc/sudoers.d/ register: sudoers tags: - DISA-STIG-RHEL-08-010380 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_remove_nopasswd - name: Remove lines containing NOPASSWD from sudoers files replace: regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$) replace: '# \g<1>' path: '{{ item.path }}' validate: /usr/sbin/visudo -cf %s with_items: - path: /etc/sudoers - '{{ sudoers.files }}' tags: - DISA-STIG-RHEL-08-010380 - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_remove_nopasswd Ensure Users Re-Authenticate for Privilege Escalation - sudo The sudo NOPASSWD and !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that NOPASSWD and/or !authenticate do not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/." 1 12 15 16 5 DSS05.04 DSS05.10 DSS06.03 DSS06.10 CCI-002038 4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3 IA-11 CM-6(a) PR.AC-1 PR.AC-7 SRG-OS-000373-GPOS-00156 Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do # comment out "NOPASSWD" matches to preserve user data sed -i "s/^${entry}$/# &/g" $f done <<< "$matching_list" /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" fi done for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do # comment out "!authenticate" matches to preserve user data sed -i "s/^${entry}$/# &/g" $f done <<< "$matching_list" /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" fi done - name: Find /etc/sudoers.d/ files find: paths: - /etc/sudoers.d/ register: sudoers tags: - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_authentication - name: Remove lines containing NOPASSWD from sudoers files replace: regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$) replace: '# \g<1>' path: '{{ item.path }}' validate: /usr/sbin/visudo -cf %s with_items: - path: /etc/sudoers - '{{ sudoers.files }}' tags: - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_authentication - name: Find /etc/sudoers.d/ files find: paths: - /etc/sudoers.d/ register: sudoers tags: - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_authentication - name: Remove lines containing !authenticate from sudoers files replace: regexp: (^(?!#).*[\s]+\!authenticate.*$) replace: '# \g<1>' path: '{{ item.path }}' validate: /usr/sbin/visudo -cf %s with_items: - path: /etc/sudoers - '{{ sudoers.files }}' tags: - NIST-800-53-CM-6(a) - NIST-800-53-IA-11 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_authentication The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. CCI-002038 IA-11 SRG-OS-000373-GPOS-00156 SV-237643r646899_rule Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. var_sudo_timestamp_timeout="" if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then # sudoers file doesn't define Option timestamp_timeout echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers else # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers fi fi # Check validity of sudoers and cleanup bak if /usr/sbin/visudo -qcf /etc/sudoers; then rm -f /etc/sudoers.bak else echo "Fail to validate remediated /etc/sudoers, reverting to original file." mv /etc/sudoers.bak /etc/sudoers false fi else echo "Skipping remediation, /etc/sudoers failed to validate" false fi - name: XCCDF Value var_sudo_timestamp_timeout # promote to variable set_fact: var_sudo_timestamp_timeout: !!str tags: - always - name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers lineinfile: path: /etc/sudoers regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$ line: Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2 validate: /usr/sbin/visudo -cf %s backrefs: true register: edit_sudoers_timestamp_timeout_option tags: - DISA-STIG-RHEL-08-010384 - NIST-800-53-IA-11 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_reauthentication - name: Enable timestamp_timeout option with appropriate value in /etc/sudoers lineinfile: path: /etc/sudoers line: Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }} validate: /usr/sbin/visudo -cf %s when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed tags: - DISA-STIG-RHEL-08-010384 - NIST-800-53-IA-11 - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudo_require_reauthentication Ensure only owner and members of group owner of /usr/bin/sudo can execute it Remove the execute permission bit of /etc/bin/sudo for the other users. To properly set the permissions of /usr/bin/sudo, run the command: $ sudo chmod 4110 /usr/bin/sudo BP28(R57) Restricting the set of users able to execute commands as privileged user reduces the attack surface. chmod 4110 /usr/bin/sudo - name: Test for existence /usr/bin/sudo stat: path: /usr/bin/sudo register: file_exists tags: - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - sudo_restrict_others_executable_permission - name: Ensure permission 4110 on /usr/bin/sudo file: path: /usr/bin/sudo mode: '4110' when: file_exists.stat is defined and file_exists.stat.exists tags: - configure_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - sudo_restrict_others_executable_permission The operating system must restrict privilege elevation to authorized personnel The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable. CCI-000366 CM-6(b) CM-6(iv) SRG-OS-000480-GPOS-00227 SV-237641r646893_rule If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. Only the VDSM User Can Use sudo NOPASSWD The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the vdsm user should have this capability in any sudo configuration snippets in /etc/sudoers.d/. Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. Explicit arguments in sudo specifications All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification. This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments. The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example, root ALL=(ALL) echo 1\,2 allows root to execute echo 1,2, but the check would interpret it as two commands echo 1\ and 2. BP28(R63) Any argument can modify quite significantly the behavior of a program, whether regarding the realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the level of its specification. For example, on some systems, the kernel messages are only accessible by root. If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted in order to prevent the user from flushing the buffer through the -c option: user ALL = dmesg "" Don't define allowed commands in sudoers by means of exclusion Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the sudoers file contains a comma-delimited list of command specifications. The definition can make use glob patterns, as well as of negations. Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs. This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue. BP28(R61) Specifying access right using negation is inefficient and can be easily circumvented. For example, it is expected that a specification like # To avoid absolutely , this rule can be easily circumvented! user ALL = ALL ,!/ bin/sh prevents the execution of the shell but that’s not the case: just copy the binary /bin/sh to a different name to make it executable again through the rule keyword ALL. Don't target root user in the sudoers file The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and ALL or root should not be used. This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable. BP28(R60) It is common that the command to be executed does not require superuser rights (editing a file whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit any attempt of privilege escalation through a command, it is better to apply normal user rights. Ensure invoking users password for privilege escalation when using sudo The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for: sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw CCI-000366 CCI-002227 CM-6(b) CM-6.1(iv) SRG-OS-000480-GPOS-00227 SV-237642r646896_rule If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. if [ -e "/etc/sudoers" ] ; then LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers" else touch "/etc/sudoers" fi cp "/etc/sudoers" "/etc/sudoers.bak" # Insert at the end of the file printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers" # Clean up after ourselves. rm "/etc/sudoers.bak" if [ -e "/etc/sudoers" ] ; then LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers" else touch "/etc/sudoers" fi cp "/etc/sudoers" "/etc/sudoers.bak" # Insert at the end of the file printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers" # Clean up after ourselves. rm "/etc/sudoers.bak" if [ -e "/etc/sudoers" ] ; then LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers" else touch "/etc/sudoers" fi cp "/etc/sudoers" "/etc/sudoers.bak" # Insert at the end of the file printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers" # Clean up after ourselves. rm "/etc/sudoers.bak" - name: Ensure that Defaults !targetpw is defined in sudoers lineinfile: path: /etc/sudoers create: true line: Defaults !targetpw state: present tags: - DISA-STIG-RHEL-08-010383 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudoers_validate_passwd - name: Ensure that Defaults !rootpw is defined in sudoers lineinfile: path: /etc/sudoers create: true line: Defaults !rootpw state: present tags: - DISA-STIG-RHEL-08-010383 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudoers_validate_passwd - name: Ensure that Defaults !runaspw is defined in sudoers lineinfile: path: /etc/sudoers create: true line: Defaults !runaspw state: present tags: - DISA-STIG-RHEL-08-010383 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - low_complexity - low_disruption - medium_severity - no_reboot_needed - restrict_strategy - sudoers_validate_passwd System Tooling / Utilities The following checks evaluate the system for recommended base packages -- both for installation and removal. Install binutils Package The binutils package can be installed with the following command: $ sudo yum install binutils binutils is a collection of binary utilities required for foundational system operator activities, such as ld, nm, objcopy and readelf. if ! rpm -q --quiet "binutils" ; then yum install -y "binutils" fi - name: Ensure binutils is installed package: name: binutils state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_binutils_installed include install_binutils class install_binutils { package { 'binutils': ensure => 'installed', } } package --add=binutils [[packages]] name = "binutils" version = "*" Install dnf-plugin-subscription-manager Package The dnf-plugin-subscription-manager package can be installed with the following command: $ sudo yum install dnf-plugin-subscription-manager 0940 1144 1467 1472 1483 1493 1494 1495 FPT_TUD_EXT.1 FPT_TUD_EXT.2 SRG-OS-000366-GPOS-00153 This package provides plugins to interact with repositories and subscriptions from the Red Hat entitlement platform; contains subscription-manager and product-id plugins. if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then yum install -y "dnf-plugin-subscription-manager" fi - name: Ensure dnf-plugin-subscription-manager is installed package: name: dnf-plugin-subscription-manager state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_dnf-plugin-subscription-manager_installed include install_dnf-plugin-subscription-manager class install_dnf-plugin-subscription-manager { package { 'dnf-plugin-subscription-manager': ensure => 'installed', } } package --add=dnf-plugin-subscription-manager [[packages]] name = "dnf-plugin-subscription-manager" version = "*" Ensure gnutls-utils is installed The gnutls-utils package can be installed with the following command: $ sudo yum install gnutls-utils FIA_X509_EXT SRG-OS-000480-GPOS-00227 GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools. if ! rpm -q --quiet "gnutls-utils" ; then yum install -y "gnutls-utils" fi - name: Ensure gnutls-utils is installed package: name: gnutls-utils state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_gnutls-utils_installed include install_gnutls-utils class install_gnutls-utils { package { 'gnutls-utils': ensure => 'installed', } } package --add=gnutls-utils [[packages]] name = "gnutls-utils" version = "*" Install libcap-ng-utils Package The libcap-ng-utils package can be installed with the following command: $ sudo yum install libcap-ng-utils SRG-OS-000445-GPOS-00199 libcap-ng-utils contains applications to analyze the posix posix capabilities of all the programs running on a system. libcap-ng-utils also lets system operators set the file system based capabilities. if ! rpm -q --quiet "libcap-ng-utils" ; then yum install -y "libcap-ng-utils" fi - name: Ensure libcap-ng-utils is installed package: name: libcap-ng-utils state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_libcap-ng-utils_installed include install_libcap-ng-utils class install_libcap-ng-utils { package { 'libcap-ng-utils': ensure => 'installed', } } package --add=libcap-ng-utils [[packages]] name = "libcap-ng-utils" version = "*" Ensure nss-tools is installed The nss-tools package can be installed with the following command: $ sudo yum install nss-tools FMT_SMF_EXT.1 SRG-OS-000480-GPOS-00227 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the nss-tools package to install command-line tools to manipulate the NSS certificate and key database. if ! rpm -q --quiet "nss-tools" ; then yum install -y "nss-tools" fi - name: Ensure nss-tools is installed package: name: nss-tools state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_nss-tools_installed include install_nss-tools class install_nss-tools { package { 'nss-tools': ensure => 'installed', } } package --add=nss-tools [[packages]] name = "nss-tools" version = "*" Install openscap-scanner Package The openscap-scanner package can be installed with the following command: $ sudo yum install openscap-scanner SRG-OS-000480-GPOS-00227 SRG-OS-000191-GPOS-00080 openscap-scanner contains the oscap command line tool. This tool is a configuration and vulnerability scanner, capable of performing compliance checking using SCAP content. if ! rpm -q --quiet "openscap-scanner" ; then yum install -y "openscap-scanner" fi - name: Ensure openscap-scanner is installed package: name: openscap-scanner state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_openscap-scanner_installed include install_openscap-scanner class install_openscap-scanner { package { 'openscap-scanner': ensure => 'installed', } } package --add=openscap-scanner [[packages]] name = "openscap-scanner" version = "*" Install rear Package The rear package can be installed with the following command: $ sudo yum install rear rear contains the Relax-and-Recover (ReaR) utility. ReaR produces a bootable image of a system and restores from backup using this image. if ! rpm -q --quiet "rear" ; then yum install -y "rear" fi - name: Ensure rear is installed package: name: rear state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_rear_installed include install_rear class install_rear { package { 'rear': ensure => 'installed', } } package --add=rear [[packages]] name = "rear" version = "*" Install rng-tools Package The rng-tools package can be installed with the following command: $ sudo yum install rng-tools CCI-000366 SRG-OS-000480-GPOS-00227 SV-244527r743830_rule rng-tools provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates. if ! rpm -q --quiet "rng-tools" ; then yum install -y "rng-tools" fi - name: Ensure rng-tools is installed package: name: rng-tools state: present tags: - DISA-STIG-RHEL-08-010472 - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_rng-tools_installed include install_rng-tools class install_rng-tools { package { 'rng-tools': ensure => 'installed', } } package --add=rng-tools [[packages]] name = "rng-tools" version = "*" Install scap-security-guide Package The scap-security-guide package can be installed with the following command: $ sudo yum install scap-security-guide SRG-OS-000480-GPOS-00227 The scap-security-guide package provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The SCAP Security Guide project bridges the gap between generalized policy requirements and specific implementation guidelines. A system administrator can use the oscap CLI tool from the openscap-scanner package, or the SCAP Workbench GUI tool from the scap-workbench package, to verify that the system conforms to provided guidelines. Refer to the scap-security-guide(8) manual page for futher information. if ! rpm -q --quiet "scap-security-guide" ; then yum install -y "scap-security-guide" fi - name: Ensure scap-security-guide is installed package: name: scap-security-guide state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_scap-security-guide_installed include install_scap-security-guide class install_scap-security-guide { package { 'scap-security-guide': ensure => 'installed', } } package --add=scap-security-guide [[packages]] name = "scap-security-guide" version = "*" Install subscription-manager Package The subscription-manager package can be installed with the following command: $ sudo yum install subscription-manager 0940 1144 1467 1472 1483 1493 1494 1495 FPT_TUD_EXT.1 FPT_TUD_EXT.2 SRG-OS-000366-GPOS-00153 Red Hat Subscription Manager is a local service which tracks installed products and subscriptions on a local system to help manage subscription assignments. It communicates with the backend subscription service (the Customer Portal or an on-premise server such as Subscription Asset Manager) and works with content management tools such as yum. if ! rpm -q --quiet "subscription-manager" ; then yum install -y "subscription-manager" fi - name: Ensure subscription-manager is installed package: name: subscription-manager state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_subscription-manager_installed include install_subscription-manager class install_subscription-manager { package { 'subscription-manager': ensure => 'installed', } } package --add=subscription-manager [[packages]] name = "subscription-manager" version = "*" Install tar Package The tar package can be installed with the following command: $ sudo yum install tar The GNU tar program saves many files together into one archive and can restore individual files (or all of the files) from the archive. tar includes multivolume support, automatic archive compression/decompression, the the ability to perform incremental and full backups. If if ! rpm -q --quiet "tar" ; then yum install -y "tar" fi - name: Ensure tar is installed package: name: tar state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_tar_installed include install_tar class install_tar { package { 'tar': ensure => 'installed', } } package --add=tar [[packages]] name = "tar" version = "*" Install vim Package The vim-enhanced package can be installed with the following command: $ sudo yum install vim-enhanced Vim (Vi IMproved) is an almost compatible version of the UNIX editor vi. if ! rpm -q --quiet "vim-enhanced" ; then yum install -y "vim-enhanced" fi - name: Ensure vim-enhanced is installed package: name: vim-enhanced state: present tags: - enable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_vim_installed include install_vim-enhanced class install_vim-enhanced { package { 'vim-enhanced': ensure => 'installed', } } package --add=vim-enhanced [[packages]] name = "vim-enhanced" version = "*" Uninstall abrt-addon-ccpp Package The abrt-addon-ccpp package can be removed with the following command: $ sudo yum erase abrt-addon-ccpp CCI-000381 SRG-OS-000095-GPOS-00049 SV-230488r627750_rule abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's C/C++ analyzer plugin. # CAUTION: This remediation script will remove abrt-addon-ccpp # from the system, and may remove any packages # that depend on abrt-addon-ccpp. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "abrt-addon-ccpp" ; then yum remove -y "abrt-addon-ccpp" fi - name: Ensure abrt-addon-ccpp is removed package: name: abrt-addon-ccpp state: absent tags: - DISA-STIG-RHEL-08-040001 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_abrt-addon-ccpp_removed include remove_abrt-addon-ccpp class remove_abrt-addon-ccpp { package { 'abrt-addon-ccpp': ensure => 'purged', } } package --remove=abrt-addon-ccpp Uninstall abrt-addon-kerneloops Package The abrt-addon-kerneloops package can be removed with the following command: $ sudo yum erase abrt-addon-kerneloops CCI-000381 SRG-OS-000095-GPOS-00049 SV-230488r627750_rule abrt-addon-kerneloops contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org. # CAUTION: This remediation script will remove abrt-addon-kerneloops # from the system, and may remove any packages # that depend on abrt-addon-kerneloops. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "abrt-addon-kerneloops" ; then yum remove -y "abrt-addon-kerneloops" fi - name: Ensure abrt-addon-kerneloops is removed package: name: abrt-addon-kerneloops state: absent tags: - DISA-STIG-RHEL-08-040001 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_abrt-addon-kerneloops_removed include remove_abrt-addon-kerneloops class remove_abrt-addon-kerneloops { package { 'abrt-addon-kerneloops': ensure => 'purged', } } package --remove=abrt-addon-kerneloops Uninstall abrt-addon-python Package The abrt-addon-python package can be removed with the following command: $ sudo yum erase abrt-addon-python CCI-000381 SRG-OS-000095-GPOS-00049 SV-230488r627750_rule abrt-addon-python contains python hook and python analyzer plugin for handling uncaught exceptions in python programs. # CAUTION: This remediation script will remove abrt-addon-python # from the system, and may remove any packages # that depend on abrt-addon-python. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "abrt-addon-python" ; then yum remove -y "abrt-addon-python" fi - name: Ensure abrt-addon-python is removed package: name: abrt-addon-python state: absent tags: - DISA-STIG-RHEL-08-040001 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_abrt-addon-python_removed include remove_abrt-addon-python class remove_abrt-addon-python { package { 'abrt-addon-python': ensure => 'purged', } } package --remove=abrt-addon-python Uninstall abrt-cli Package The abrt-cli package can be removed with the following command: $ sudo yum erase abrt-cli CCI-000381 SRG-OS-000095-GPOS-00049 SV-230488r627750_rule abrt-cli contains a command line client for controlling abrt daemon over sockets. # CAUTION: This remediation script will remove abrt-cli # from the system, and may remove any packages # that depend on abrt-cli. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "abrt-cli" ; then yum remove -y "abrt-cli" fi - name: Ensure abrt-cli is removed package: name: abrt-cli state: absent tags: - DISA-STIG-RHEL-08-040001 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_abrt-cli_removed include remove_abrt-cli class remove_abrt-cli { package { 'abrt-cli': ensure => 'purged', } } package --remove=abrt-cli Uninstall abrt-plugin-logger Package The abrt-plugin-logger package can be removed with the following command: $ sudo yum erase abrt-plugin-logger CCI-000381 SRG-OS-000095-GPOS-00049 SV-230488r627750_rule abrt-plugin-logger is an ABRT plugin which writes a report to a specified file. # CAUTION: This remediation script will remove abrt-plugin-logger # from the system, and may remove any packages # that depend on abrt-plugin-logger. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "abrt-plugin-logger" ; then yum remove -y "abrt-plugin-logger" fi - name: Ensure abrt-plugin-logger is removed package: name: abrt-plugin-logger state: absent tags: - DISA-STIG-RHEL-08-040001 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_abrt-plugin-logger_removed include remove_abrt-plugin-logger class remove_abrt-plugin-logger { package { 'abrt-plugin-logger': ensure => 'purged', } } package --remove=abrt-plugin-logger Uninstall abrt-plugin-rhtsupport Package The abrt-plugin-rhtsupport package can be removed with the following command: $ sudo yum erase abrt-plugin-rhtsupport CCI-000381 SRG-OS-000095-GPOS-00049 SV-230488r627750_rule abrt-plugin-rhtsupport is a ABRT plugin to report bugs into the Red Hat Support system. # CAUTION: This remediation script will remove abrt-plugin-rhtsupport # from the system, and may remove any packages # that depend on abrt-plugin-rhtsupport. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "abrt-plugin-rhtsupport" ; then yum remove -y "abrt-plugin-rhtsupport" fi - name: Ensure abrt-plugin-rhtsupport is removed package: name: abrt-plugin-rhtsupport state: absent tags: - DISA-STIG-RHEL-08-040001 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_abrt-plugin-rhtsupport_removed include remove_abrt-plugin-rhtsupport class remove_abrt-plugin-rhtsupport { package { 'abrt-plugin-rhtsupport': ensure => 'purged', } } package --remove=abrt-plugin-rhtsupport Uninstall abrt-plugin-sosreport Package The abrt-plugin-sosreport package can be removed with the following command: $ sudo yum erase abrt-plugin-sosreport CCI-000381 SRG-OS-000095-GPOS-00049 SV-230488r627750_rule abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report. # CAUTION: This remediation script will remove abrt-plugin-sosreport # from the system, and may remove any packages # that depend on abrt-plugin-sosreport. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "abrt-plugin-sosreport" ; then yum remove -y "abrt-plugin-sosreport" fi - name: Ensure abrt-plugin-sosreport is removed package: name: abrt-plugin-sosreport state: absent tags: - DISA-STIG-RHEL-08-040001 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_abrt-plugin-sosreport_removed include remove_abrt-plugin-sosreport class remove_abrt-plugin-sosreport { package { 'abrt-plugin-sosreport': ensure => 'purged', } } package --remove=abrt-plugin-sosreport Uninstall geolite2-city Package The geolite2-city package can be removed with the following command: $ sudo yum erase geolite2-city geolite2-city is part of the GeoLite2 database packages, offering geolocation databases and tooling. # CAUTION: This remediation script will remove geolite2-city # from the system, and may remove any packages # that depend on geolite2-city. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "geolite2-city" ; then yum remove -y "geolite2-city" fi - name: Ensure geolite2-city is removed package: name: geolite2-city state: absent tags: - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_geolite2-city_removed include remove_geolite2-city class remove_geolite2-city { package { 'geolite2-city': ensure => 'purged', } } package --remove=geolite2-city Uninstall geolite2-country Package The geolite2-country package can be removed with the following command: $ sudo yum erase geolite2-country geolite2-country is part of the GeoLite2 database packages, offering geolocation databases and tooling. # CAUTION: This remediation script will remove geolite2-country # from the system, and may remove any packages # that depend on geolite2-country. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "geolite2-country" ; then yum remove -y "geolite2-country" fi - name: Ensure geolite2-country is removed package: name: geolite2-country state: absent tags: - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_geolite2-country_removed include remove_geolite2-country class remove_geolite2-country { package { 'geolite2-country': ensure => 'purged', } } package --remove=geolite2-country Uninstall gssproxy Package The gssproxy package can be removed with the following command: $ sudo yum erase gssproxy CCI-000381 CCI-000366 SRG-OS-000095-GPOS-00049 SRG-OS-000480-GPOS-00227 SV-230559r646887_rule gssproxy is a proxy for GSS API credential handling. # CAUTION: This remediation script will remove gssproxy # from the system, and may remove any packages # that depend on gssproxy. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "gssproxy" ; then yum remove -y "gssproxy" fi - name: Ensure gssproxy is removed package: name: gssproxy state: absent tags: - DISA-STIG-RHEL-08-040370 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_gssproxy_removed include remove_gssproxy class remove_gssproxy { package { 'gssproxy': ensure => 'purged', } } Uninstall iprutils Package The iprutils package can be removed with the following command: $ sudo yum erase iprutils CCI-000366 SRG-OS-000095-GPOS-00049 SRG-OS-000480-GPOS-00227 SV-230560r627750_rule iprutils provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. # CAUTION: This remediation script will remove iprutils # from the system, and may remove any packages # that depend on iprutils. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "iprutils" ; then yum remove -y "iprutils" fi - name: Ensure iprutils is removed package: name: iprutils state: absent tags: - DISA-STIG-RHEL-08-040380 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_iprutils_removed include remove_iprutils class remove_iprutils { package { 'iprutils': ensure => 'purged', } } package --remove=iprutils Uninstall krb5-workstation Package The krb5-workstation package can be removed with the following command: $ sudo yum erase krb5-workstation CCI-000803 SRG-OS-000095-GPOS-00049 SRG-OS-000120-GPOS-00061 SV-230239r646864_rule Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd). Currently, Kerberos does not utilize FIPS 140-2 cryptography and is not permitted on Government networks, nor is it permitted in many regulatory environments such as HIPAA. # CAUTION: This remediation script will remove krb5-workstation # from the system, and may remove any packages # that depend on krb5-workstation. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "krb5-workstation" ; then yum remove -y "krb5-workstation" fi - name: Ensure krb5-workstation is removed package: name: krb5-workstation state: absent tags: - DISA-STIG-RHEL-08-010162 - disable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_krb5-workstation_removed include remove_krb5-workstation class remove_krb5-workstation { package { 'krb5-workstation': ensure => 'purged', } } package --remove=krb5-workstation Uninstall pigz Package The pigz package can be removed with the following command: $ sudo yum erase pigz SRG-OS-000433-GPOS-00192 Binaries shipped in pigz package in Red Hat Enterprise Linux 8 have not been compiled using recommended compiler flags. The binaries are compiled without sufficient stack protection and its address space layout randomization (ASLR) is weak. # CAUTION: This remediation script will remove pigz # from the system, and may remove any packages # that depend on pigz. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "pigz" ; then yum remove -y "pigz" fi - name: Ensure pigz is removed package: name: pigz state: absent tags: - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_pigz_removed include remove_pigz class remove_pigz { package { 'pigz': ensure => 'purged', } } package --remove=pigz Uninstall tuned Package The tuned package can be removed with the following command: $ sudo yum erase tuned CCI-000366 SRG-OS-000095-GPOS-00049 SRG-OS-000480-GPOS-00227 SV-230561r627750_rule tuned contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. # CAUTION: This remediation script will remove tuned # from the system, and may remove any packages # that depend on tuned. Execute this # remediation AFTER testing on a non-production # system! if rpm -q --quiet "tuned" ; then yum remove -y "tuned" fi - name: Ensure tuned is removed package: name: tuned state: absent tags: - DISA-STIG-RHEL-08-040390 - disable_strategy - low_complexity - low_disruption - low_severity - no_reboot_needed - package_tuned_removed include remove_tuned class remove_tuned { package { 'tuned': ensure => 'purged', } } package --remove=tuned Updating Software The yum command line tool is used to install and update software packages. The system also provides a graphical software update tool in the System menu, in the Administration submenu, called Software Update. Red Hat Enterprise Linux 8 systems contain an installed software catalog called the RPM database, which records metadata of installed packages. Consistently using yum or the graphical Software Update for all software installation allows for insight into the current inventory of installed software on the system. Install dnf-automatic Package The dnf-automatic package can be installed with the following command: $ sudo yum install dnf-automatic BP28(R8) SRG-OS-000191-GPOS-00080 dnf-automatic is an alternative command line interface (CLI) to dnf upgrade suitable for automatic, regular execution. if ! rpm -q --quiet "dnf-automatic" ; then yum install -y "dnf-automatic" fi - name: Ensure dnf-automatic is installed package: name: dnf-automatic state: present tags: - enable_strategy - low_complexity - low_disruption - medium_severity - no_reboot_needed - package_dnf-automatic_installed include install_dnf-automatic class install_dnf-automatic { package { 'dnf-automatic': ensure => 'installed', } } package --add=dnf-automatic [[packages]] name = "dnf-automatic" version = "*" Ensure yum Removes Previous Package Versions yum should be configured to remove previous software components after new versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf. 18 20 4 APO12.01 APO12.02 APO12.03 APO12.04 BAI03.10 DSS05.01 DSS05.02 3.4.8 CCI-002617 4.2.3 4.2.3.12 4.2.3.7 4.2.3.9 A.12.6.1 A.14.2.3 A.16.1.3 A.18.2.2 A.18.2.3 SI-2(6) CM-11(a) CM-11(b) CM-6(a) ID.RA-1 PR.IP-12 SRG-OS-000437-GPOS-00194 SV-230281r627750_rule SRG-OS-000437-VMM-001760 Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. # Remediation is applicable only in certain platforms if rpm --quiet -q yum; then if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf else echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf echo "clean_requirements_on_remove=1" >> /etc/yum.conf fi else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - DISA-STIG-RHEL-08-010440 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-6(a) - NIST-800-53-SI-2(6) - clean_components_post_updating - low_complexity - low_disruption - low_severity - no_reboot_needed - restrict_strategy - name: Ensure YUM Removes Previous Package Versions lineinfile: dest: /etc/yum.conf regexp: ^#?clean_requirements_on_remove line: clean_requirements_on_remove=1 insertafter: \[main\] create: true when: '"yum" in ansible_facts.packages' tags: - DISA-STIG-RHEL-08-010440 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-6(a) - NIST-800-53-SI-2(6) - clean_components_post_updating - low_complexity - low_disruption - low_severity - no_reboot_needed - restrict_strategy Configure dnf-automatic to Install Available Updates Automatically To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. BP28(R8) 0940 1144 1467 1472 1483 1493 1494 1495 SI-2(5) CM-6(a) SI-2(c) FMT_SMF_EXT.1 SRG-OS-000191-GPOS-00080 Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner. CONF="/etc/dnf/automatic.conf" APPLY_UPDATES_REGEX="[[:space:]]*\[commands]([^\n\[]*\n+)+?[[:space:]]*apply_updates" COMMANDS_REGEX="[[:space:]]*\[commands]" # Try find [commands] and apply_updates in automatic.conf, if it exists, set # to yes, if it isn't here, add it, if [commands] doesn't exist, add it there if grep -qzosP $APPLY_UPDATES_REGEX $CONF; then sed -i "s/apply_updates[^(\n)]*/apply_updates = yes/" $CONF elif grep -qs $COMMANDS_REGEX $CONF; then sed -i "/$COMMANDS_REGEX/a apply_updates = yes" $CONF else mkdir -p /etc/dnf echo -e "[commands]\napply_updates = yes" >> $CONF fi - name: Configure dnf-automatic to Install Available Updates Automatically ini_file: dest: /etc/dnf/automatic.conf section: commands option: apply_updates value: 'yes' create: true tags: - NIST-800-53-CM-6(a) - NIST-800-53-SI-2(5) - NIST-800-53-SI-2(c) - dnf-automatic_apply_updates - low_complexity - medium_disruption - medium_severity - no_reboot_needed - unknown_strategy Configure dnf-automatic to Install Only Security Updates To configure dnf-automatic to install only security updates automatically, set upgrade_type to security under [commands] section in /etc/dnf/automatic.conf. BP28(R8) SI-2(5) CM-6(a) SI-2(c) FMT_SMF_EXT.1 SRG-OS-000191-GPOS-00080 By default, dnf-automatic installs all available updates. Reducing the amount of updated packages only to updates that were issued as a part of a security advisory increases the system stability. CONF="/etc/dnf/automatic.conf" APPLY_UPDATES_REGEX="[[:space:]]*\[commands]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" COMMANDS_REGEX="[[:space:]]*\[commands]" # Try find [commands] and upgrade_type in automatic.conf, if it exists, set # it to security, if it isn't here, add it, if [commands] doesn't exist, # add it there if grep -qzosP $APPLY_UPDATES_REGEX $CONF; then sed -i "s/upgrade_type[^(\n)]*/upgrade_type = security/" $CONF elif grep -qs $COMMANDS_REGEX $CONF; then sed -i "/$COMMANDS_REGEX/a upgrade_type = security" $CONF else mkdir -p /etc/dnf echo -e "[commands]\nupgrade_type = security" >> $CONF fi - name: Configure dnf-automatic to Install Only Security Updates ini_file: dest: /etc/dnf/automatic.conf section: commands option: upgrade_type value: security create: true tags: - NIST-800-53-CM-6(a) - NIST-800-53-SI-2(5) - NIST-800-53-SI-2(c) - dnf-automatic_security_updates_only - low_complexity - low_severity - medium_disruption - no_reboot_needed - unknown_strategy Ensure gpgcheck Enabled In Main yum Configuration The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section: gpgcheck=1 BP28(R15) 1.2.4 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) SI-7 SC-12 SC-12(3) CM-6(a) SA-12 SA-12(10) CM-11(a) CM-11(b) PR.DS-6 PR.DS-8 PR.IP-1 FPT_TUD_EXT.1 FPT_TUD_EXT.2 Req-6.2 SRG-OS-000366-GPOS-00153 SV-230264r627750_rule SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). # Remediation is applicable only in certain platforms if rpm --quiet -q yum; then replace_or_append "/etc/yum.conf" '^gpgcheck' '1' '' else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - CJIS-5.10.4.1 - DISA-STIG-RHEL-08-010370 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - ensure_gpgcheck_globally_activated - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Check existence of yum on Fedora stat: path: /etc/yum.conf register: yum_config_file check_mode: false when: - '"yum" in ansible_facts.packages' - ansible_distribution == "Fedora" tags: - CJIS-5.10.4.1 - DISA-STIG-RHEL-08-010370 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - ensure_gpgcheck_globally_activated - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Ensure GPG check is globally activated (yum) ini_file: dest: /etc/yum.conf section: main option: gpgcheck value: 1 no_extra_spaces: true create: false when: - '"yum" in ansible_facts.packages' - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) tags: - CJIS-5.10.4.1 - DISA-STIG-RHEL-08-010370 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - ensure_gpgcheck_globally_activated - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Ensure GPG check is globally activated (dnf) ini_file: dest: /etc/dnf/dnf.conf section: main option: gpgcheck value: 1 no_extra_spaces: true create: false when: - '"yum" in ansible_facts.packages' - ansible_distribution == "Fedora" tags: - CJIS-5.10.4.1 - DISA-STIG-RHEL-08-010370 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - ensure_gpgcheck_globally_activated - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy Ensure gpgcheck Enabled for Local Packages yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. BP28(R15) 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-11(a) CM-11(b) CM-6(a) CM-5(3) SA-12 SA-12(10) PR.IP-1 FPT_TUD_EXT.1 FPT_TUD_EXT.2 SRG-OS-000366-GPOS-00153 SV-230265r627750_rule SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. # Remediation is applicable only in certain platforms if rpm --quiet -q yum; then replace_or_append '/etc/yum.conf' '^localpkg_gpgcheck' '1' '' else >&2 echo 'Remediation is not applicable, nothing was done' fi - name: Gather the package facts package_facts: manager: auto tags: - DISA-STIG-RHEL-08-010371 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - ensure_gpgcheck_local_packages - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Check existence of yum on Fedora stat: path: /etc/yum.conf register: yum_config_file check_mode: false when: - '"yum" in ansible_facts.packages' - ansible_distribution == "Fedora" tags: - DISA-STIG-RHEL-08-010371 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - ensure_gpgcheck_local_packages - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Ensure GPG check Enabled for Local Packages (Yum) ini_file: dest: /etc/yum.conf section: main option: localpkg_gpgcheck value: 1 create: true when: - '"yum" in ansible_facts.packages' - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution == "Scientific" or yum_config_file.stat.exists) tags: - DISA-STIG-RHEL-08-010371 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - ensure_gpgcheck_local_packages - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy - name: Ensure GPG check Enabled for Local Packages (DNF) ini_file: dest: /etc/dnf/dnf.conf section: main option: localpkg_gpgcheck value: 1 create: true when: - '"yum" in ansible_facts.packages' - ansible_distribution == "Fedora" tags: - DISA-STIG-RHEL-08-010371 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - ensure_gpgcheck_local_packages - high_severity - low_complexity - medium_disruption - no_reboot_needed - unknown_strategy Ensure gpgcheck Enabled for All yum Package Repositories To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: gpgcheck=0 BP28(R15) 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) SI-7 SC-12 SC-12(3) CM-6(a) SA-12 SA-12(10) CM-11(a) CM-11(b) PR.DS-6 PR.DS-8 PR.IP-1 FPT_TUD_EXT.1 FPT_TUD_EXT.2 Req-6.2 SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* - name: Grep for yum repo section names shell: | set -o pipefail grep -HEr '^\[.+\]' -r /etc/yum.repos.d/ register: repo_grep_results ignore_errors: true changed_when: false tags: - CJIS-5.10.4.1 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - enable_strategy - ensure_gpgcheck_never_disabled - high_severity - low_complexity - medium_disruption - no_reboot_needed - name: Set gpgcheck=1 for each yum repo ini_file: path: '{{ item[0] }}' section: '{{ item[1] }}' option: gpgcheck value: '1' no_extra_spaces: true loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) }}' tags: - CJIS-5.10.4.1 - NIST-800-171-3.4.8 - NIST-800-53-CM-11(a) - NIST-800-53-CM-11(b) - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SA-12 - NIST-800-53-SA-12(10) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - enable_strategy - ensure_gpgcheck_never_disabled - high_severity - low_complexity - medium_disruption - no_reboot_needed Ensure gpgcheck Enabled for Repository Metadata Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Check that yum verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/yum.conf. 11 3 9 BAI10.01 BAI10.02 BAI10.03 BAI10.05 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 SR 7.6 A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 CM-5(3) SI-7 SC-12 SC-12(3) CM-6(a) SA-12 SA-12(10) CM-11(a) CM-11(b) PR.IP-1 SRG-OS-000366-GPOS-00153 Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. NOTE: For U.S. Military systems, this requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority. Ensure Red Hat GPG Key Installed To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager register If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: $ sudo rpm --import /media/cdrom/RPM-GPG-KEY Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release BP28(R15) 1.2.3 11 2 3 9 5.10.4.1 APO01.06 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS06.02 3.4.8 CCI-001749 164.308(a)(1)(ii)(D) 164.312(b) 164.312(c)(1) 164.312(c)(2) 164.312(e)(2)(i) 4.3.4.3.2 4.3.4.3.3 4.3.4.4.4 SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 7.6 A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 CIP-003-3 R4.2 CIP-003-3 R6 CIP-007-3 R4 CIP-007-3 R4.1 CIP-007-3 R4.2 CIP-007-3 R5.1 CM-5(3) SI-7 SC-12 SC-12(3) CM-6(a) PR.DS-6 PR.DS-8 PR.IP-1 FPT_TUD_EXT.1 FPT_TUD_EXT.2 Req-6.2 SRG-OS-000366-GPOS-00153 SRG-OS-000366-VMM-001430 SRG-OS-000370-VMM-001460 SRG-OS-000404-VMM-001650 Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key readonly REDHAT_RELEASE_FINGERPRINT="567E347AD0044ADE55BA8A5F199E2F91FD431D51" readonly REDHAT_AUXILIARY_FINGERPRINT="6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792" # Location of the key we would like to import (once it's integrity verified) readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")") # Verify /etc/pki/rpm-gpg directory permissions are safe if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] then # If they are safe, try to obtain fingerprints from the key file # (to ensure there won't be e.g. CRC error). readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "$REDHAT_RELEASE_KEY" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10) GPG_RESULT=$? # No CRC error, safe to proceed if [ "${GPG_RESULT}" -eq "0" ] then echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it rpm --import "${REDHAT_RELEASE_KEY}" } fi fi - name: Read permission of GPG key directory stat: path: /etc/pki/rpm-gpg/ register: gpg_key_directory_permission check_mode: false tags: - CJIS-5.10.4.1 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity - medium_disruption - no_reboot_needed - restrict_strategy - name: Read signatures in GPG key command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" args: warn: false changed_when: false register: gpg_fingerprints check_mode: false tags: - CJIS-5.10.4.1 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity - medium_disruption - no_reboot_needed - restrict_strategy - name: Set Fact - Installed GPG Fingerprints set_fact: gpg_installed_fingerprints: |- {{ gpg_fingerprints.stdout | regex_findall('^pub.* (?:^fpr[:]*)([0-9A-Fa-f]*)', '\1') | list }} tags: - CJIS-5.10.4.1 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity - medium_disruption - no_reboot_needed - restrict_strategy - name: Set Fact - Valid fingerprints set_fact: gpg_valid_fingerprints: ("567E347AD0044ADE55BA8A5F199E2F91FD431D51" "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792") tags: - CJIS-5.10.4.1 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity - medium_disruption - no_reboot_needed - restrict_strategy - name: Import RedHat GPG key rpm_key: state: present key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release when: - gpg_key_directory_permission.stat.mode <= '0755' - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 - gpg_installed_fingerprints | length > 0 - ansible_distribution == "RedHat" tags: - CJIS-5.10.4.1 - NIST-800-171-3.4.8 - NIST-800-53-CM-5(3) - NIST-800-53-CM-6(a) - NIST-800-53-SC-12 - NIST-800-53-SC-12(3) - NIST-800-53-SI-7 - PCI-DSS-Req-6.2 - ensure_redhat_gpgkey_installed - high_severity - medium_complexity - medium_disruption - no_reboot_needed - restrict_strategy Ensure Software Patches Installed If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum update If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm. NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. BP28(R08) 1.9 18 20 4 5.10.4.1