Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update RHEL 9 STIG to V2R1 #12373

Merged
merged 6 commits into from
Sep 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 1 addition & 23 deletions controls/stig_rhel9.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ policy: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
title: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
id: stig_rhel9
source: https://public.cyber.mil/stigs/downloads/
version: V1R3
version: V2R1
reference_type: stigid
product: rhel9
levels:
Expand Down Expand Up @@ -2813,28 +2813,6 @@ controls:
- var_password_pam_retry=3
status: automated

- id: RHEL-09-611015
levels:
- medium
title:
RHEL 9 must be configured in the password-auth file to prohibit password
reuse for a minimum of five generations.
rules:
- accounts_password_pam_pwhistory_remember_password_auth
- var_password_pam_remember=5
- var_password_pam_remember_control_flag=requisite_or_required
status: automated

- id: RHEL-09-611020
levels:
- medium
title:
RHEL 9 must be configured in the system-auth file to prohibit password reuse
for a minimum of five generations.
rules:
- accounts_password_pam_pwhistory_remember_system_auth
status: automated

- id: RHEL-09-611025
levels:
- high
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,7 @@ checktext: |-

If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding.



vuldiscussion: |-
If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,7 @@ checktext: |-

If the "active" keyword does not have a value of "yes", the line is commented out, or the line is missing, this is a finding.



vuldiscussion: |-
The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,10 @@ vuldiscussion: |-

Associating event types with detected events in audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured {{{ full_name }}} system.



checktext: |-
Verify that {{{ full_name }}} audit service package is installed.
Verify that the {{{ full_name }}} audit service package is installed.

Check that the audit service package is installed with the following command:

Expand All @@ -25,4 +27,3 @@ fixtext: |-
Install the audit service package (if the audit service is not already installed) with the following command:

$ sudo dnf install audit

Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,13 @@ checktext: |-

If this command produces any "keytab" file(s), this is a finding.



vuldiscussion: |-
Unapproved mechanisms used for authentication to the cryptographic module are not verified; therefore, cannot be relied upon to provide confidentiality or integrity and DOD data may be compromised.

{{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.

The key derivation function (KDF) in Kerberos is not FIPS compatible. Ensuring the system does not have any keytab files present prevents system daemons from using Kerberos for authentication. A keytab is a file containing pairs of Kerberos principals and encrypted keys.

FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,7 @@ checktext: |-

If "s-nail" package is not installed, this is a finding.



vuldiscussion: |-
The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,9 @@ checktext: |-

If the "ypserv" package is installed, this is a finding.



vuldiscussion: |-
The NIS service provides an unencrypted authentication service, which does not provide for the confidentiality and integrity of user passwords or the remote session.

Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,7 @@ checktext: |-

If the "rsh-server" package is installed, this is a finding.



vuldiscussion: |-
The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of accidental (or intentional) activation of those services.
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,13 @@ vuldiscussion: |-
If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.

checktext: |-
Verify that {{{ full_name }}} does not have a tftp server package installed with the following command:
Verify that {{{ full_name }}} does not have a "tftp-server" package installed with the following command:

$ sudo dnf list --installed | grep tftp
$ sudo dnf list --installed | grep tftp-server

If the "tftp" package is installed, this is a finding.
If the "tftp-server" package is installed, this is a finding.

fixtext: |-
The tftp package can be removed with the following command:

$ sudo dnf remove tftp
The "tftp-server" package can be removed with the following command:

$ sudo dnf remove tftp-server
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ vuldiscussion: |-
checktext: |-
Verify the operating system does not allow a noncertificate trusted host SSH logon to the system with the following command:

$ sudo grep -ir hostbasedauthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*hostbasedauthentication'

HostbasedAuthentication no

Expand All @@ -23,4 +23,3 @@ fixtext: |-
Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,12 @@ srg_requirement: |-
vuldiscussion: |-
If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.



checktext: |-
Verify {{{ full_name }}} remote access using SSH prevents logging on with a blank password with the following command:
Verify that {{{ full_name }}} remote access using SSH prevents logging on with a blank password with the following command:

$ sudo grep -ir PermitEmptyPasswords /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*permitemptypasswords'

PermitEmptyPassword no

Expand All @@ -21,4 +23,3 @@ fixtext: |-
Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,12 @@ srg_requirement: |-
vuldiscussion: |-
Generic Security Service Application Program Interface (GSSAPI) authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.



checktext: |-
Verify the SSH daemon does not allow GSSAPI authentication with the following command:

$ sudo grep -ir gssapiauth /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*gssapiauthentication'

GSSAPIAuthentication no

Expand All @@ -25,4 +27,3 @@ fixtext: |-
The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,12 @@ srg_requirement: |-
vuldiscussion: |-
Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.



checktext: |-
Verify the SSH daemon does not allow Kerberos authentication with the following command:

$ sudo grep -i kerberosauth /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*kerberosauthentication'

KerberosAuthentication no

Expand All @@ -23,4 +25,3 @@ fixtext: |-
The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ vuldiscussion: |-
checktext: |-
Verify the SSH daemon does not allow rhosts authentication with the following command:

$ sudo grep -ir ignorerhosts /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*ignorerhosts'

IgnoreRhosts yes

Expand All @@ -23,4 +23,3 @@ fixtext: |-
The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,12 @@ srg_requirement: |-
vuldiscussion: |-
Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.



checktext: |-
Verify {{{ full_name }}} remote access using SSH prevents users from logging on directly as "root" with the following command:
Verify that {{{ full_name }}} remote access using SSH prevents users from logging on directly as "root" with the following command:

$ sudo grep -ir PermitRootLogin /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*permitrootlogin'

PermitRootLogin no

Expand All @@ -21,4 +23,3 @@ fixtext: |-
Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ vuldiscussion: |-
checktext: |-
Verify the SSH daemon does not allow known hosts authentication with the following command:

$ sudo grep -ir ignoreuser /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*ignoreuserknownhosts'

IgnoreUserKnownHosts yes

Expand All @@ -23,4 +23,3 @@ fixtext: |-
The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ vuldiscussion: |-
checktext: |-
Verify the SSH daemon does not allow X11Forwarding with the following command:

$ sudo grep -ir x11for /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*x11forwarding'

X11forwarding no

Expand All @@ -23,4 +23,3 @@ fixtext: |-
The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ vuldiscussion: |-
checktext: |-
Verify that unattended or automatic logon via SSH is disabled with the following command:

$ sudo grep -ir permituserenvironment /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*permituserenvironment'

PermitUserEnvironment no

Expand All @@ -25,4 +25,3 @@ fixtext: |-
Restart the SSH daemon for the setting to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ vuldiscussion: |-
checktext: |-
Verify the {{{ full_name }}} SSHD is configured to allow for the UsePAM interface with the following command:

$ sudo grep -ir usepam /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*usepam'

UsePAM yes

Expand All @@ -21,4 +21,3 @@ fixtext: |-
Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,14 @@ srg_requirement: |-
{{{ full_name }}} SSHD must accept public key authentication.

vuldiscussion: |-
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD CAC with DOD-approved PKI is an example of multifactor authentication.
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication.



checktext: |-
Verify that {{{ full_name }}} SSH daemon accepts public key encryption with the following command:

$ sudo grep -ir PubkeyAuthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*pubkeyauthentication'

PubkeyAuthentication yes

Expand All @@ -21,4 +23,3 @@ fixtext: |-
Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ vuldiscussion: |-
checktext: |-
Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command:

$ sudo grep -ir strictmodes /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*strictmodes'

StrictModes yes

Expand All @@ -23,4 +23,3 @@ fixtext: |-
The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,14 @@ srg_requirement: |-
vuldiscussion: |-
The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.



checktext: |-
Verify any SSH connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.
Verify that any SSH connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.

Check for the location of the banner file being used with the following command:

$ sudo grep -ir banner /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*banner'

banner /etc/issue

Expand All @@ -25,4 +27,3 @@ fixtext: |-
An example configuration line is:

Banner /etc/issue

Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ vuldiscussion: |-
checktext: |-
Verify the SSH daemon provides users with feedback on when account accesses last occurred with the following command:

$ sudo grep -ir printlast /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*printlastlog'

PrintLastLog yes

Expand All @@ -23,4 +23,3 @@ fixtext: |-
The SSH service must be restarted for changes to take effect:

$ sudo systemctl restart sshd.service

Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@ vuldiscussion: |-
SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. "INFO" or "VERBOSE" level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.

checktext: |-
Verify {{{ full_name }}} logs SSH connection attempts and failures to the server.
Verify that {{{ full_name }}} logs SSH connection attempts and failures to the server.

Check what the SSH daemon's "LogLevel" option is set to with the following command:

$ sudo grep -ir LogLevel /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*loglevel'

LogLevel VERBOSE

If a value of "VERBOSE" is not returned, the line is commented out, or is missing, this is a finding.
If a value of "VERBOSE" is not returned or the line is commented out or missing, this is a finding.

fixtext: |-
Configure {{{ full_name }}} to log connection attempts add or modify the following line in "/etc/ssh/sshd_config".
Expand All @@ -23,4 +23,3 @@ fixtext: |-
Restart the SSH daemon for the settings to take effect:

$ sudo systemctl restart sshd.service

Loading
Loading