SSG 0.1-14-14 - set_screensaver_inactivity_timeout
by ssg fthfth
For SSGID Set GNOME Login Inactivity Timeout - (CCE-26828-4), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine..
With the X Window System not installed, the configuration check will fail. Recommend verifying if a windowing system is installed, then, if applicable, check the configuration.
10 years, 1 month
Cron and faillog/lastlog
by Kayse, Josh
Per the RHEL6 Guide I have configured my system to utilize faillock and
lastlog. Now I have found that cron no longer works.
I have tracked it down to being an SELinux problem. crond_t is trying
to read/write lastlog_t and faillog_t files. Has anyone else run in to
this problem or have recommendations?
My findings so far have shown that cron requires auth, account, and
session from password-auth. Inside password-auth we have the
appropriate faillock/lastlog lines in auth/account/session.
Previously we have put the faillock/lastlog lines in the individual
services that users can use to access the system (gdm, sshd, login, etc)
but this was not compliant with the SSG/STIG.
Should we go back to placing these lines in the individual services or
grant the permission to crond_t? Could this be because we disable the
unconfined domain?
Thanks,
-josh
--
404.407.6630
10 years, 1 month
SSG 0.1-14-14 - max_concurrent_login_sessions
by ssg fthfth
For SSGID Limit the Number of Concurrent Login Sessions Allowed Per User - (CCE-27457-1) with the stig-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce an error on a RHEL6V1R2 complaint machine.
See the following report output:
Test ID: oval:ssg:tst:573
Result: error
Title: the value maxlogins should be set appropriately in /etc/security/limits.conf
Check Existence: One or more collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1628
Object Requirements:
filepath must be equal to '/etc/security/limits.conf'
pattern must match the pattern '^[\s]*\*[\s]+(hard|-)[\s]+maxlogins[\s]+(\d+)\s*$'
instance must be equal to '1'
State ID: oval:ssg:ste:1629
State Requirements:
subexpression must be less than or equal to '10'
Collected Item Properties:
filepath equals '/etc/security/limits.conf'
path equals '/etc/security'
filename equals 'limits.conf'
pattern equals '^[\s]*\*[\s]+(hard|-)[\s]+maxlogins[\s]+(\d+)\s*$'
instance equals '1'
text equals '* hard maxlogins 10 '
subexpression equals 'hard'
subexpression equals '10'
Additional Information: Collected items did not meet the check requirement.
10 years, 1 month
SSG 0.1-14-14 - SSG content not present within DISA RHEL6V1R2 STIG
by ssg fthfth
The following ssg-ids are not included within the DISA RHEL6V1R2 STIG for profiles stig-rhel6-server and/or usgcb-rhel6-server, as indicated below:
STIG USGCB
x x Ensure All Files Are Owned by a User - (CCE-27032-2)
x x Ensure All Files Are Owned by a Group - (CCE-26872-2)
x x Ensure No Device Files are Unlabeled by SELinux - (CCE-26774-0)
x Require Authentication for Single User Mode - (CCE-27040-5)
x Bind Mount /var/tmp To /tmp - (CCE-26582-7)
x Disable Mounting of cramfs - (CCE-26340-0)
x Disable Mounting of freevxfs - (CCE-26544-7)
x Disable Mounting of jffs2 - (CCE-26670-0)
x Disable Mounting of hfs - (CCE-26800-3)
x Disable Mounting of hfsplus - (CCE-26361-6)
x Disable Mounting of squashfs - (CCE-26404-4)
x Disable Mounting of udf - (CCE-26677-5)
x Ensure that Root's Path Does Not Include Relative Paths or Null Directories - (CCE-26826-8)
x Ensure that Root's Path Does Not Include World or Group-Writable Directories - (CCE-26768-2)
x Disable Accepting IPv6 Router Advertisements - (CCE-27164-3)
x Disable Zeroconf Networking - (CCE-27151-0)
x Make the auditd Configuration Immutable - (CCE-26612-2)
x Disable Portreserve (portreserve) - (CCE-27258-3)
x Disable Network File System Lock Service (nfslock) - (CCE-27104-9)
x Disable Secure RPC Client Service (rpcgssd) - (CCE-26864-9)
x Disable RPC ID Mapping Service (rpcidmapd) - (CCE-26870-6)
x Disable Network File Systems (netfs) - (CCE-27137-9)
x Uninstall vsftpd Package - (CCE-26687-4)
x Disable Samba - (CCE-27143-7)
x Uninstall net-snmp Package - (CCE-26332-7)
x Disable Support for RPC IPv6 - (CCE-27232-8)
x Ensure All SGID Executables Are Authorized - (CCE-26769-0)
x Ensure All SUID Executables Are Authorized - (CCE-26497-8)
x x Ensure SELinux Not Disabled in /etc/grub.conf - (CCE-26956-3)
x x Ensure SELinux State is Enforcing - (CCE-26969-6)
x x Configure SELinux Policy - (CCE-26875-5)
x Ensure that System Accounts Do Not Run a Shell Upon Login - (CCE-26966-2)
x x Set Password Retry Prompts Permitted Per-Session - (CCE-27123-9)
x Ensure that User Home Directories are not Group-Writable or World-Readable - (CCE-26981-1)
x Deactivate Wireless Network Interfaces - (CCE-27057-9)
x Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server - (CCE-26803-7)
x Disable KDump Kernel Crash Analyzer (kdump) - (CCE-26850-8)
x Uninstall DHCP Server Package - (CCE-27120-5)
x Disable Secure RPC Server Service (rpcsvcgssd) - (CCE-27122-1)
x Disable DNS Server - (CCE-26873-0)
x Uninstall bind Package - (CCE-27030-6)
x Disable vsftpd Service - (CCE-26948-0)
x Disable httpd Service - (CCE-27075-1)
x Uninstall httpd Package - (CCE-27133-8)
x Disable Dovecot Service - (CCE-26922-5)
x Uninstall dovecot Package - (CCE-27039-7)
x Disable Samba - (CCE-27143-7)
x Disable Squid - (CCE-27146-0)
x Uninstall squid Package - (CCE-26977-9)
x Disable snmpd Service - (CCE-26906-8)
10 years, 1 month
SSG 0.1-14-14 - Content designed for RHEL6 is performed on RHEL5 with SCC
by ssg fthfth
Content designed for RHEL6 is performed on RHEL5 with SCC. This may be a content issue.
1) By using the check_existence="any_exist", the test will always pass because an item with a status of "does not exist" is created. See the SCAP specification page 101 for how the tool should report. In this case it will always be 'true'
2) The criterion should be written as follows:
<ova+P56l-def:criteria>
<oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/> <oval-def:criteria operator="OR"> <oval-def:criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:ssg:tst:102"/> <oval-def:criterion comment="Red Hat Enterprise Linux 6 Server is installed"
test_ref="oval:ssg:tst:103"/>
</oval-def:criteria>
</oval-def:criteria>
10 years, 1 month
SSG 0.1-14-14 - sshd_set_idle_timeout
by ssg fthfth
For SSGID Set SSH Idle Timeout Interval - (CCE-26919-1), with the usgcb-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.
The STIG value is 900. The SSG content “Description” also states a value of 900. However the SSG content state requirement is “subexpression must be less than or equal to '300'”
See the following report output:
Set SSH Idle Timeout Interval
ID: sshd_set_idle_timeout
Result: Fail
Identities: CCE-26919-1
Description: SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: ClientAliveInterval interval The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Fix Text:
Severity: low
Weight:
Reference: 879
1133
Definitions:
ID: oval:ssg:def:474
Result: false
Title: Set OpenSSH Idle Timeout Interval
Description: The SSH idle timeout interval should be set to an appropriate value.
Class: compliance
Tests:
false (One or more item-state comparisons may be true.)
false (timeout is configured)
false (One or more item-state comparisons may be true.)
false (All item-state comparisons must be true.)
true (Runlevel test)
true (Runlevel test)
false (Runlevel test)
false (Runlevel test)
false (Runlevel test)
false (Runlevel test)
true (Runlevel test)
false (All item-state comparisons must be true.)
false (package openssh-server is removed)
Tests:
Test ID: oval:ssg:tst:475
Result: false
Title: timeout is configured
Check Existence: All collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1546
Object Requirements:
filepath must be equal to '/etc/ssh/sshd_config'
pattern must match the pattern '^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$'
instance must be equal to '1'
State ID: oval:ssg:ste:1547
State Requirements:
subexpression must be less than or equal to '300'
Collected Item Properties:
filepath equals '/etc/ssh/sshd_config'
path equals '/etc/ssh'
filename equals 'sshd_config'
pattern equals '^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$'
instance equals '1'
text equals 'ClientAliveInterval 900'
subexpression equals '900'
Additional Information: Collected items did not meet the check requirement.
10 years, 1 month
SSG 0.1-14-14 - user_umask_logindefs
by ssg fthfth
For SSGID Ensure the Default Umask is Set Correctly in login.defs - (CCE-26371-5), with the usgcb-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.
The STIG value is 077. The SSG content “Description” also states a value of 077. However the SSG content state requirement is “subexpression must be equal to '027'”
See the following report output:
Ensure the Default Umask is Set Correctly in login.defs
ID: user_umask_logindefs
Result: Fail
Identities: CCE-26371-5
Description: To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows: UMASK 077
Fix Text:
Severity: low
Weight:
Reference:
366
Definitions:
ID: oval:ssg:def:1160
Result: false
Title: Ensure that Users Have Sensible Umask Values in /etc/login.defs
Description: The default umask for all users specified in /etc/login.defs
Class: compliance
Tests:
false (All item-state comparisons must be true.)
false (Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/login.defs file)
Tests:
Test ID: oval:ssg:tst:1161
Result: false
Title: Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/login.defs file
Check Existence: All collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:2134
Object Requirements:
path must be equal to '/etc'
filename must be equal to 'login.defs'
pattern must match the pattern '^[\s]*UMASK[\s]+([^#\s]*)'
instance must be equal to '1'
State ID: oval:ssg:ste:2135
State Requirements:
subexpression must be equal to '027'
Collected Item Properties:
filepath equals '/etc/login.defs'
path equals '/etc'
filename equals 'login.defs'
pattern equals '^[\s]*UMASK[\s]+([^#\s]*)'
instance equals '1'
text equals 'UMASK 077'
subexpression equals '077'
Additional Information: Collected items did not meet the check requirement.
10 years, 1 month
SSG 0.1-14-14 - user_umask_profile
by ssg fthfth
For SSGID Ensure the Default Umask is Set Correctly in /etc/profile - (CCE-26669-2), with the usgcb-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.
The STIG value is 077. The SSG content “Description” also states a value of 077. However the SSG content state requirement is “subexpression must be equal to '027'”
See the following report output:
Ensure the Default Umask is Set Correctly in /etc/profile
ID: user_umask_profile
Result: Fail
Identities: CCE-26669-2
Description: To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: umask 077
Fix Text:
Severity: low
Weight:
Reference:
366
Definitions:
ID: oval:ssg:def:1204
Result: false
Title: Ensure that Users Have Sensible Umask Values in /etc/profile
Description: The default umask for all users should be set correctly
Class: compliance
Tests:
false (All item-state comparisons must be true.)
false (Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/profile file)
Tests:
Test ID: oval:ssg:tst:1205
Result: false
Title: Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/profile file
Check Existence: All collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:2176
Object Requirements:
path must be equal to '/etc'
filename must be equal to 'profile'
pattern must match the pattern '^[\s]*umask[\s]+([^#\s]*)'
instance must be equal to '1'
State ID: oval:ssg:ste:2177
State Requirements:
subexpression must be equal to '027'
Collected Item Properties:
filepath equals '/etc/profile'
path equals '/etc'
10 years, 1 month
SSG 0.1-14-14 - user_umask_cshrc
by ssg fthfth
For SSGID Ensure the Default C Shell Umask is Set Correctly - (CCE-27034-8), with the usgcb-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.
The STIG value is 077. The SSG content “Description” also states a value of 077. However the SSG content state requirement is “subexpression must be equal to '027'”
See the following report output:
Ensure the Default C Shell Umask is Set Correctly
ID: user_umask_cshrc
Result: Fail
Identities: CCE-27034-8
Description: To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows: umask 077
Fix Text:
Severity: low
Weight:
Reference:
366
Definitions:
ID: oval:ssg:def:711
Result: false
Title: Ensure that Users Have Sensible Umask Values set for csh
Description: The default umask for users of the csh shell
Class: compliance
Tests:
false (All item-state comparisons must be true.)
false (Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/csh.cshrc file)
Tests:
Test ID: oval:ssg:tst:712
Result: false
Title: Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/csh.cshrc file
Check Existence: All collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1755
Object Requirements:
path must be equal to '/etc'
filename must be equal to 'csh.cshrc'
pattern must match the pattern '^[\s]*umask[\s]+([^#\s]*)'
instance must be equal to '1'
State ID: oval:ssg:ste:1756
State Requirements:
subexpression must be equal to '027'
Collected Item Properties:
filepath equals '/etc/csh.cshrc'
path equals '/etc'
filename equals 'csh.cshrc'
pattern equals '^[\s]*umask[\s]+([^#\s]*)'
instance equals '1'
text equals 'umask 077'
subexpression equals '077'
Additional Information: Collected items did not meet the check requirement.
10 years, 1 month