SSG 0.1-14-14 - user_umask_bashrc
by ssg fthfth
For SSGID Ensure the Default Bash Umask is Set Correctly - (CCE-26917-5), with the usgcb-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.
The STIG value is 077. The SSG content “Description” also states a value of 077. However the SSG content state requirement is “subexpression must be equal to '027'”
See the following report output:
Ensure the Default Bash Umask is Set Correctly
ID: user_umask_bashrc
Result: Fail
Identities: CCE-26917-5
Description: To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows: umask 077
Fix Text:
Severity: low
Weight:
Reference:
366
Definitions:
ID: oval:ssg:def:742
Result: false
Title: Ensure that Users Have Sensible Umask Values set for bash
Description: The default umask for users of the bash shell
Class: compliance
Tests:
false (All item-state comparisons must be true.)
false (Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/bashrc file)
Tests:
Test ID: oval:ssg:tst:743
Result: false
Title: Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/bashrc file
Check Existence: All collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1781
Object Requirements:
path must be equal to '/etc'
filename must be equal to 'bashrc'
pattern must match the pattern '^[\s]*umask[\s]+([^#\s]*)'
instance must be equal to '1'
State ID: oval:ssg:ste:1782
State Requirements:
subexpression must be equal to '027'
Collected Item Properties:
filepath equals '/etc/bashrc'
path equals '/etc'
filename equals 'bashrc'
pattern equals '^[\s]*umask[\s]+([^#\s]*)'
instance equals '1'
text equals ' umask 077'
subexpression equals '077'
Additional Information: Collected items did not meet the check requirement.
10 years, 2 months
SSG 0.1-14-14 - account_disable_post_pw_expiration
by ssg fthfth
For SSGID Set Account Expiration Following Inactivity - (CCE-27283-1), with the usgcb-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.
The STIG recommends a value of 35. The SSG content “Description” also states a value of 35 is recommended. However the SSG content subexpression check is “must be less than or equal to '30'”
See the following report output:
subexpression equals '35' Collected items did not meet the check requirement.
To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately: INACTIVE=NUM_DAYS A value of 35 is recommended. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.
Fix Text:
Severity: low
Weight:
Reference: AC-2(2)
AC-2(3)
16
17
795
Definitions:
ID: oval:ssg:def:525
Result: false
Title: Set Accounts to Expire Following Password Expiration
Description: The accounts should be configured to expire automatically following password expiration.
Class: compliance
Tests:
false (All item-state comparisons must be true.)
false (the value INACTIVE parameter should be set appropriately in /etc/default/useradd)
Tests:
Test ID: oval:ssg:tst:526
Result: false
Title: the value INACTIVE parameter should be set appropriately in /etc/default/useradd
Check Existence: One or more collected items must exist.
Check: All collected items must match the given state(s).
State Operator: All item-state comparisons must be true.
Object ID: oval:ssg:obj:1591
Object Requirements:
filepath must be equal to '/etc/default/useradd'
pattern must match the pattern '^\s*INACTIVE\s*=\s*(\d+)\s*$'
instance must be equal to '1'
State ID: oval:ssg:ste:1592
State Requirements:
subexpression must be less than or equal to '30'
State ID: oval:ssg:ste:1593
State Requirements:
subexpression must be greater than '-1'
Collected Item Properties:
filepath equals '/etc/default/useradd'
path equals '/etc/default'
filename equals 'useradd'
pattern equals '^\s*INACTIVE\s*=\s*(\d+)\s*$'
instance equals '1'
text equals 'INACTIVE=35'
subexpression equals '35'
Additional Information: Collected items did not meet the check requirement.
10 years, 2 months
SSG 0.1-14-14 - accounts_password_warn_age_login_defs
by ssg fthfth
For SSGID Set Password Warning Age - (CCE-26988-6), with the usgcb-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.
The STIG states the DoD requirement is 7. The SSG content tests for >= 14.
10 years, 2 months
SSG 0.1-14-14 - kernel_module_bluetooth_disabled
by ssg fthfth
For SSGID Disable Bluetooth Kernel Modules - (CCE-26763-3), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine..
The SSG content checks for /bin/true. The STIG Check Content lists /bin/false or another. Recommend testing for ^\/bin\/(true|false)$ or similar.
10 years, 2 months
SSG 0.1-14-14 - enable_gdm_login_banner
by ssg fthfth
For SSGID Enable GUI Warning Banner - (CCE-27195-7), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine..
With the X Window System not installed, the configuration check will fail. Recommend verifying if a windowing system is installed, then, if applicable, check the configuration.
10 years, 2 months
SSG 0.1-14-14 - set_blank_screensaver
by ssg fthfth
For SSGID Implement Blank Screen Saver - (CCE-26638-7), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine..
With the X Window System not installed, the configuration check will fail. Recommend verifying if a windowing system is installed, then, if applicable, check the configuration.
10 years, 2 months
SSG 0.1-14-14 - enable_screensaver_password_lock
by ssg fthfth
For SSGID Enable Screen Lock Activation After Idle Period - (CCE-26235-2), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine..
With the X Window System not installed, the configuration check will fail. Recommend verifying if a windowing system is installed, then, if applicable, check the configuration.
10 years, 2 months
SSG 0.1-14-14 - enable_screensaver_after_idle
by ssg fthfth
For SSGID GNOME Desktop Screensaver Mandatory Use - (CCE-26600-7), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine..
With the X Window System not installed, the configuration check will fail. Recommend verifying if a windowing system is installed, then, if applicable, check the configuration.
10 years, 2 months
SSG 0.1-14-14 - deny_password_attempts
by ssg fthfth
For SSGID Set Interval For Counting Failed Password Attempts - (CCE-27215-3), with the stig-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine..
The SSG content checks maximum failed login attempts allowed in /etc/pam.d/system-auth and /etc/pam.d/password-auth.
The STIG checks /etc/pam.d/system-auth-ac
/etc/pam.d/system-auth-ac file is symlinked to /etc/pam.d/system-auth
Any changes made to /etc/pam.d/system-auth are overwritten when authconfig is run.
10 years, 2 months
SSG 0.1-14-14 - deny_password_attempts
by ssg fthfth
For SSGID Set Lockout Time For Failed Password Attempts - (CCE-27110-6), with the stig-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine..
The SSG content checks maximum failed login attempts allowed in /etc/pam.d/system-auth and /etc/pam.d/password-auth.
The STIG checks /etc/pam.d/system-auth-ac
/etc/pam.d/system-auth-ac file is symlinked to /etc/pam.d/system-auth
Any changes made to /etc/pam.d/system-auth are overwritten when authconfig is run.
10 years, 2 months