Re: OS SRG mappings -- feedback
by Willy Santos
Please see in-line comments/responses.
Thanks,
-Willy
> CCI-000044 - The requirement is to allow 3 failed logons before locking the account. Need to assign a value of 3.
Value of 3 will be assigned when generating STIG specific profile.
https://fedorahosted.org/scap-security-guide/ticket/70
> CCI-000047 - The requirement is to lock the account after reaching the number of failed attempts as assigned in CCI-000044.
This is the default behaviour of the pam_faillock module in RHEL6.
> CCI-000050 - The requirement is for the banner to remain on the screen until the user takes some action, such as clicking an OK or Acknowledgement button.
> Is there a command which will fulfill this requirement or is it built-into the system? We don't want the logon banner to just flash on the screen and
> disappear.
The banner remains on the screen until the user clicks the "OK" button.
A notable exception to this is when SSHing in, which displays the banner
(contents of /etc/issue) before the login prompt. The accepted
acknowledgement is when the user decides to enter their user/pass combo.
> CCI-000056 - Once the screen is locked, it can only be unlocked using password or CAC authentication. Is there a command to enforce this?
All screen locks require re-authentication.
> CCI-000057 - The requirement is to lock the system after 15 minutes of inactivity. Is there a command to enter which will set the time to 15 minutes?
There is already a rule that satisfies this requirement, but was
incorrectly mapped. We'll correct this.
https://fedorahosted.org/scap-security-guide/ticket/72
> CCI-000060 - Is there a way to ensure a blank screen or display graphics while the screen is locked? Don't want to be able to see the previous screen.
There is already a rule that satisfies this requirement, but was
incorrectly mapped. We'll correct this.
https://fedorahosted.org/scap-security-guide/ticket/73
> CCI-000130 - Is there a command or flag to set which will ensure the system audit information contains what type of events occurred? Or is it built in and cannot be
> changed?
The audit system automatically records the type of event that occurred.
No special command/flag needed and cannot be changed.
We can add wording to the audit group description to document this.
https://fedorahosted.org/scap-security-guide/ticket/85
> CCI-000131 - Is there a command or flag to set which will ensure the system audit information contains when the events occurred? Or is it built in and cannot be
> changed?
The audit system automatically records the time/date when event
occurred. No special command/flag needed and cannot be changed.
We can add wording to the audit group description to document this.
https://fedorahosted.org/scap-security-guide/ticket/85
> CCI-000132 - Is there a command or flag to set which will ensure the system audit information contains where the events occurred? Or is it built in and cannot be
> changed?
The audit system automatically records the location of the event that
occurred. No special command/flag needed and cannot be changed.
We can add wording to the audit group description to document this.
https://fedorahosted.org/scap-security-guide/ticket/85
> CCI-000133 - Is there a command or flag to set which will ensure the system audit information contains the source of the events? Or is it built in and cannot be
> changed?
The audit system automatically records the command that triggers the
event and the uid and gid of the account that triggered the command for
the event that occurred. No special command/flag needed and cannot be
changed.
We can add wording to the audit group description to document this.
https://fedorahosted.org/scap-security-guide/ticket/85
> CCI-000133 - Is there a command or flag to set which will ensure the system audit information contains the success/failure of the events? Or is it built in and
> cannot be changed?
The audit system automatically records the success of failure (syntax is
"success=yes/no") of event that occurred. No special command/flag needed
and cannot be changed.
We can add wording to the audit group description to document this.
https://fedorahosted.org/scap-security-guide/ticket/85
> CCI-000143 - The command stated in CCI-000140 should be used here also with option of Email being used.
We will add those mappings.
https://fedorahosted.org/scap-security-guide/ticket/77
> CCI-000154 - This would either be 'Products Meets this Requirement' or 'Product cannot comply with this requirement'
We will change the mapping to "Product Meets this Requirement"
https://fedorahosted.org/scap-security-guide/ticket/86
> CCI-000162 - This requirement is to define permissions on the audit data file to restrict read access by authorized personnel only. Need a command to set read
> permissions on the audit file.
Be default, ONLY the root user can read the audit log files.
> CCI-000163 - This requirement is to define permissions on the audit data file to restrict modification by authorized personnel only. Need a command to set modify
> permissions on the audit file.
Be default, ONLY the root user can read the audit log files.
> CCI-000164 - This requirement is to define permissions on the audit data file to restrict deletion by authorized personnel only. Need a command to set delete
> permissions on the audit file.
Be default, ONLY the root user can read the audit log files.
> CCI-000200 - Need a command to check/fix for requirement of not using the last 24 passwords.
Value of 24 will be assigned when generating STIG specific profile.
https://fedorahosted.org/scap-security-guide/ticket/78
> CCI-000206 - Does Redhat display the password when entered or does it utilize asterisks? If asterisks are used and cannot be changed, then this product meets the
> requirement. If it must be configured to not display the password when entered, then a command needs defined.
For graphical login, RHEL uses dots instead of asterisks, but it is the
same idea. For console/SSH login, nothing is displayed while user is
typing the password. Will change mapping to "Product Meets this
Requirement".
https://fedorahosted.org/scap-security-guide/ticket/79
> CCI-000213 - This requirement deals with permissions and access control. Redhat has the capability to define permissions and controls per user basis.
We will remap this CCI to "Product Meets this Requirement"
https://fedorahosted.org/scap-security-guide/ticket/71
> CCI-000663 - Is there any way that Redhat can control access to whom installs software or patches?
By default, only root can install software or patches.
> CCI-001391 - Is there a way Redhat can display to the user after logon, how many successful logons have occurred within the last 7 days?
By default we show the information for the last login, but only when
logging in via ssh / terminal. The data does exist within the PAM
subsystems, however. It may be possible for developers to write software
to expose this data to a user upon login. However I am unaware of
parties who have the resources to commit to this and to support it over
time. Additionally, while CCI-001391 was in the OS SRG it was not a
requirement of the RHEL5 STIG.
> CCI-001392 - Is there a way Redhat can display to the user after logon, how many unsuccessful logons have occurred within the last 7 days?
By default we do not expose this information at login. The data does
exist within the PAM subsystems, however. It may be possible for
developers to write software to expose this data to a user upon login.
However I am unaware of parties who have the resources to commit to this
and to support it over time. Additionally, while CCI-001392 was in the
OS SRG it was not a requirement of the RHEL5 STIG.
> CCI-001404 - Will the command that's given also provide audit information when the account is disabled?
Yes. The audit rule will log when ANY changes are made to an account.
> CCI-001405 - Will the command that's given also provide audit information when the account is terminated?
Yes. The audit rule will log when ANY changes are made to an account.
> CCI-001452 - This requirement is to define the duration for counting the invalid logon attempts, such as 3 attempts within a 15 minute timeframe.
The rule addresses the time-out requirement with the unlock_time
argument, which specifies the time (in seconds) for which to enforce the
lockout. In this
case the guidance reads "unlock_time=900", which will lockout the user
for 15 minutes.
> CCI-001493 - Is there a special permission which needs set to protect access to audit tools or how does the product natively meet this requirement?
By default only root has any access to any audit tools.
> CCI-001494 - Is there a special permission which needs set to protect modification of audit tools or how does the product natively meet this requirement?
By default only root has any access to any audit tools.
> CCI-001495 - Is there a special permission which needs set to protect deletion of audit tools or how does the product natively meet this requirement?
By default only root has any access to any audit tools.
> CCI-001683 - Using the command given, will it notify individuals when accounts are created? Not just log the info.
As the audit logs are sent to a centralized facility, to be reviewed by
System Administrators, we have considered the inclusion of useradd data
in audit logs a notification method. If we want to expand upon that
further, such as EMailing the new user a welcome letter, such
functionality does not currently exist within the Operating System.
> CCI-001684 - Using the command given, will it notify individuals when accounts are modified? Not just log the info.
As the audit logs are sent to a centralized facility, to be reviewed by
System Administrators, we have considered the inclusion of this data in
audit logs a notification method.
> CCI-001685 - Using the command given, will it notify individuals when accounts are disabled? Not just log the info.
As the audit logs are sent to a centralized facility, to be reviewed by
System Administrators, we have considered the inclusion of this data in
audit logs a notification method.
> CCI-001686 - Using the command given, will it notify individuals when accounts are terminated? Not just log the info.
As the audit logs are sent to a centralized facility, to be reviewed by
System Administrators, we have considered the inclusion of this data in
audit logs a notification method.
11 years, 9 months
[PATCH 0/3] New prose about using LUKS.
by Willy Santos
Added guidance on the use of LUKS for disk encryption and mapped pertinent CCIs to it.
Willy Santos (3):
Added section on partition encryption using LUKS.
Removed mapping of CCIs 1199, 1350, 1200 from new_rule_needed, to new
group on LUKS.
Added link to RH docs on LUKS.
RHEL6/input/auxiliary/srg_support.xml | 2 +-
RHEL6/input/system/software/disk_partitioning.xml | 33 +++++++++++++++++++++
2 files changed, 34 insertions(+), 1 deletions(-)
--
1.7.7.6
11 years, 9 months
OS SRG mappings -- feedback
by Jeffrey Blank
Our friends at DISA FSO have a batch of feedback/questions for the OS
SRG mappings. I believe most of the answers are fairly clear, though a
few will require additions to the project content.
I think it is preferable to document (in auxiliary/srg_support.xml)
answers, instead of answering inline with email. (Although a few are
more appropriate for email/list response.)
For other items, we might achieve this by documenting features/behavior
more fully in Group descriptions. This could make sense for 131-133, by
describing the audit records more fully there.
> Using this link: http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-ta..., I have reviewed the information provided and have the following comments:
>
> CCI-000044 - The requirement is to allow 3 failed logons before locking the account. Need to assign a value of 3.
> CCI-000047 - The requirement is to lock the account after reaching the number of failed attempts as assigned in CCI-000044.
> CCI-000050 - The requirement is for the banner to remain on the screen until the user takes some action, such as clicking an OK or Acknowledgement button.
> Is there a command which will fulfill this requirement or is it built-into the system? We don't want the logon banner to just flash on the screen and
> disappear.
> CCI-000056 - Once the screen is locked, it can only be unlocked using password or CAC authentication. Is there a command to enforce this?
> CCI-000057 - The requirement is to lock the system after 15 minutes of inactivity. Is there a command to enter which will set the time to 15 minutes?
> CCI-000060 - Is there a way to ensure a blank screen or display graphics while the screen is locked? Don't want to be able to see the previous screen.
> CCI-000130 - Is there a command or flag to set which will ensure the system audit information contains what type of events occurred? Or is it built in and cannot be
> changed?
> CCI-000131 - Is there a command or flag to set which will ensure the system audit information contains when the events occurred? Or is it built in and cannot be
> changed?
> CCI-000132 - Is there a command or flag to set which will ensure the system audit information contains where the events occurred? Or is it built in and cannot be
> changed?
> CCI-000133 - Is there a command or flag to set which will ensure the system audit information contains the source of the events? Or is it built in and cannot be
> changed?
> CCI-000133 - Is there a command or flag to set which will ensure the system audit information contains the success/failure of the events? Or is it built in and
> cannot be changed?
> CCI-000143 - The command stated in CCI-000140 should be used here also with option of Email being used.
> CCI-000154 - This would either be 'Products Meets this Requirement' or 'Product cannot comply with this requirement'
> CCI-000162 - This requirement is to define permissions on the audit data file to restrict read access by authorized personnel only. Need a command to set read
> permissions on the audit file.
> CCI-000163 - This requirement is to define permissions on the audit data file to restrict modification by authorized personnel only. Need a command to set modify
> permissions on the audit file.
> CCI-000164 - This requirement is to define permissions on the audit data file to restrict deletion by authorized personnel only. Need a command to set delete
> permissions on the audit file.
> CCI-000200 - Need a command to check/fix for requirement of not using the last 24 passwords.
> CCI-000206 - Does Redhat display the password when entered or does it utilize asterisks? If asterisks are used and cannot be changed, then this product meets the
> requirement. If it must be configured to not display the password when entered, then a command needs defined.
> CCI-000213 - This requirement deals with permissions and access control. Redhat has the capability to define permissions and controls per user basis.
> CCI-000663 - Is there any way that Redhat can control access to whom installs software or patches?
> CCI-001391 - Is there a way Redhat can display to the user after logon, how many successful logons have occurred within the last 7 days?
> CCI-001392 - Is there a way Redhat can display to the user after logon, how many unsuccessful logons have occurred within the last 7 days?
> CCI-001404 - Will the command that's given also provide audit information when the account is disabled?
> CCI-001405 - Will the command that's given also provide audit information when the account is terminated?
> CCI-001452 - This requirement is to define the duration for counting the invalid logon attempts, such as 3 attempts within a 15 minute timeframe.
> CCI-001493 - Is there a special permission which needs set to protect access to audit tools or how does the product natively meet this requirement?
> CCI-001494 - Is there a special permission which needs set to protect modification of audit tools or how does the product natively meet this requirement?
> CCI-001495 - Is there a special permission which needs set to protect deletion of audit tools or how does the product natively meet this requirement?
> CCI-001683 - Using the command given, will it notify individuals when accounts are created? Not just log the info.
> CCI-001684 - Using the command given, will it notify individuals when accounts are modified? Not just log the info.
> CCI-001685 - Using the command given, will it notify individuals when accounts are disabled? Not just log the info.
> CCI-001686 - Using the command given, will it notify individuals when accounts are terminated? Not just log the info.
>
>
11 years, 9 months
[PATCH] updates to transform which display STIGs as tables
by Jeffrey Blank
Added check content column, severity/CAT column.
A future revision might involve combining some of the individual row items (vertically)
to make it easier for users that aren't on large displays.
Jeffrey Blank (1):
added new columns for severity and check content into STIG tables
* also combined duplicative xccdf2table-stig transforms into
parameterized version
RHEL6/Makefile | 4 +-
RHEL6/transforms/xccdf2table-stig-addnotes.xslt | 172 -----------------------
RHEL6/transforms/xccdf2table-stig.xslt | 84 ++++++++++--
3 files changed, 75 insertions(+), 185 deletions(-)
delete mode 100644 RHEL6/transforms/xccdf2table-stig-addnotes.xslt
11 years, 9 months
NTP encryption guidance
by ctrueman@redhat.com
Not sure doing an actual push, so I figured I'd throw this out there on
the list first.
--
Clifford Trueman
Red Hat Consulting
757 570 0253
11 years, 9 months
[PATCH 1/1] Removed package list from Smart Card section.
by Willy Santos
Signed-off-by: Willy Santos <wsantos(a)redhat.com>
---
RHEL6/input/system/accounts/physical.xml | 18 ++----------------
1 files changed, 2 insertions(+), 16 deletions(-)
diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml
index 801f1ec..3133d76 100644
--- a/RHEL6/input/system/accounts/physical.xml
+++ b/RHEL6/input/system/accounts/physical.xml
@@ -309,22 +309,8 @@ authentication for login can be found in the Red Hat Documentation web site:
<ul>
<li>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managi...</li>
</ul>
-The following packages are required in order to enable use of Smart Cards
-on RHEL:
-<ul>
-<li>nss-tools</li>
-<li>esc</li>
-<li>pam_pkcs11</li>
-<li>coolkey</li>
-<li>ccid</li>
-<li>gdm</li>
-<li>authconfig</li>
-<li>authconfig-gtk</li>
-<li>krb5-libs</li>
-<li>krb5-workstation</li>
-<li>krb5-auth-dialog</li>
-<li>krb5-pkinit-openssl</li>
-</ul>
+It is recommended to use Smart Cards wherever feasible as part of a multifactor
+authentication system
</description>
<ref disa="765,766,767,768,771,772,884" />
</Group>
--
1.7.7.6
11 years, 9 months
[PATCH 0/3] Added prose about CAC cards
by Willy Santos
Added guidance for use of CAC cards.
Willy Santos (3):
Removed mapping of CCI-001097 to requirement_unclear.
Added guidance on use of CAC cards.
Remapped CCIs 765, 766, 767, 768, 771, 772, 884 from new_rule_needed
to the newly created smart_card_login group. All these CCIs refer
to multi-factor authentication.
11 years, 9 months
[PATCH 0/2] Updated singleuser pw check and a profile id
by Kevin Spargur
Updated single user mode to reflect that it should be looking in
/etc/sysconfig/init instead. Also updated an id tag in the common profile
that pointed to nowhere.
Kevin Spargur (2):
Updated singleuser mode check to reflect the move away from inittab
Tidied up the rhnsd id tag in the common profile
RHEL6/input/checks/singleuser_password.xml | 16 ++++++++--------
RHEL6/input/profiles/common.xml | 2 +-
2 files changed, 9 insertions(+), 9 deletions(-)
--
1.7.7.6
11 years, 9 months
