------------------- Insights Security ------------------- System Security =================== .. toctree:: :maxdepth: 1 /src/user/platform/security/concepts-security-intro Security Patches and Updates ------------------------------- Security updates are done with every software release. .. toctree:: :maxdepth: 1 /src/user/platform/security/concepts-security-system-restricted-user-shell Security and Security Policy Management --------------------------------------------- Upon installation, user passwords are restricted as follows: - Password length : 8 - Minimum number of days between password change : 1 - Maximum number of days between password change : 60 - Number of days of warning before password expires : 14 - Number number of days between password change: 10 User password and account security settings and policy details can also be configured. Creating Additional Users ------------------------------ The system ships with the following user accounts: * ``root`` – ssh root is disabled. Gaining root access can only be done with a VOSS employee present. * ``admin`` – ssh is allowed however, the admin user does not have a shell. When logging in with admin, you are immediately presented with a menu. * ``drop`` – ssh is not allowed, only sftp. * ``sysadmin`` – ssh is allowed but access is restricted only via a rbash shell. The system does not allow you to create any additional users. Creating and Managing SFTP Users ------------------------------------ The ``drop`` user can be used to sftp files to the box. The ``drop`` password can be administered through our admin menu. SSH key management ----------------------- SSH authentication requires maintaining the system SSH keys. This can be configured through the admin menu. Network Security ==================== Ports ------- This table includes connectivity requirements between Insights Arbitrator, Reporting Dashboard, as well as connectivity between these and the following: VOSS Automate, NTP, DNS and AD. .. tabularcolumns:: |p{4cm}|p{4cm}|p{4cm}|p{4cm}| +---------------+--------------+--------------+----------------+ | Source | Destination | Port / | Notes | | | | protocol | | +===============+==============+==============+================+ | | | 5432, 5433, | | | | | 5000, 60514, | | | | | 64514, | Note: | | Arbitrator |  Arbitrator | 64515, |  Intra-system | | Server / | Server / | 65515, | communication | | Dashboard | Dashboard | 65516, | and queries   | | Server       | Server       | 64005, |  – | | | | 64004, | Bi-directional | | | | 62009, 62010 | | | | | (all TCP) | | +---------------+--------------+--------------+----------------+ | | | |  Note:  VOSS | | | | 62002, | Fabric TLS | | | | 62003, | tunnel | | | | 62004, | Connection | | | | 62005, | Ports – | | Arbitrator | Arbitrator | 62006, | Bi-directional | | Server | Server | 11501,30501, | between | | | | 30503, | Customer | | | | 40501, 40503 | systems and | | | | (all TCP) | NOC systems | | | | | for event | | | | | forwarding | +---------------+--------------+--------------+----------------+ | Arbitrator | Network | | | | Server / | Resources | 53, 123 UDP | Time and DNS | | Dashboard | (NTP, DNS) | | | | Server       | | | | +---------------+--------------+--------------+----------------+ | Client PC – | | | | | GUI |  Arbitrator | | | | Interface | Server / | 443, 8443, | User Interface | | and CLI | Dashboard | 22, 80 TCP | Access | | Management | Server       | | | | Access | | | | +---------------+--------------+--------------+----------------+ | VOSS Automate | Dashboard | 27020 | Database | | | Server | | access | +---------------+--------------+--------------+----------------+ | Arbitrator | | | | | Server / | AD | 389 636 TCP | Authentication | | Dashboard | | UDP | | | Server       | | | | +---------------+--------------+--------------+----------------+ Web Certificate Setup Options --------------------------------- The platform installs a self-signed certificate for the web-frontend by default. This provides encryption of the web-traffic but does not provide users with valid authentication that the server is correct or protect against man-in-the-middle attacks. Customer can install their own certificates through the admin menu. .. note:: - Only one certificate file can be installed on the platform. - Please note the importance of ensuring that SSL certificates generated match the assigned network name of the platform. . .. toctree:: :maxdepth: 1 /src/user/platform/security/supported-ssl-ciphers Web Configuration ----------------------------------- The platform uses Apache as its web server. The configuration has been updated to secure the web server. The system's cipher configuration has been updated to only support "high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys. For details, refer to the **Apache Config** menu option upon installation or configuration. .. raw:: html See: Deploy and VM Installation Steps .. raw:: latex See the Install Guides topic: "Deploy and VM Installation Steps". The following table describes how Apache is secured. .. tabularcolumns:: |p{4cm}|p{12cm}| +----------------------------------+----------------------------------+ | Apache Modules | Only the necessary modules are | | | installed. Apache is packaged | | | using VOSS's proprietary package | | | manager so that only VOSS can | | | update Apache's configuration. | | | | | | access_compat_module, | | | alias_module, authn_core_module, | | | authz_core_module, | | | authz_host_module, | | | autoindex_module, core_module, | | | deflate_module, dir_module, | | | filter_module, headers_module, | | | http_module, log_config_module, | | | logio_module, mime_magic_module, | | | mime_module, mpm_prefork_module, | | | php5_module, proxy_http_module, | | | proxy_module, | | | proxy_wstunnel_module, | | | qos_module, rewrite_module, | | | session_cookie_module, | | | session_module, setenvif_module, | | | so_module, socache_shmcb_module, | | | ssl_module, unixd_module | +----------------------------------+----------------------------------+ | Privileges, Permissions, and | The Apache User and Group | | Ownership | directives are set to run as a | | | non-root user, “apache”. The | | | “apache” user does not have ssh | | | or login access. | +----------------------------------+----------------------------------+ | Core Dump | The CoreDumpDirectory is | | | disabled. | +----------------------------------+----------------------------------+ | OverRide Disabled | OS Root Directory and all other | | | directories has setting: | | | AllowOverride None | +----------------------------------+----------------------------------+ | Features, Content, Options | All directories has setting: | | | Options None | +----------------------------------+----------------------------------+ | Default Content removed | Default HTML and cgi content | | | removed. | +----------------------------------+----------------------------------+ | HTTP Request Methods Restricted | HTTP request methos limited to | | | GET POST OPTIONS | +----------------------------------+----------------------------------+ | HTTP TRACE Method Disabled | TraceEnable off | +----------------------------------+----------------------------------+ .. tabularcolumns:: |p{4cm}|p{12cm}| +----------------------------------+----------------------------------+ | Force HTTP 1.1 | # Force HTTP 1.1 | | | | | | RewriteEngine On | | | | | | RewriteCond %{THE_REQUEST} | | | !HTTP/1.1$ | | | | | | RewriteRule .\* - [F] | +----------------------------------+----------------------------------+ | HTTP Strict Transport Security | Header set | | | Strict-Transport-Security | | | "max-age=31536000; | | | includeSubDomains; preload" | +----------------------------------+----------------------------------+ | Information Leakage | ServerTokens ProductOnly | +----------------------------------+----------------------------------+ | ServerSignature | ServerSignature Off | +----------------------------------+----------------------------------+ | ETag Response Header | FileETag None | +----------------------------------+----------------------------------+ | Restricted Files | Access to .ht\* files are | | | restricted. | +----------------------------------+----------------------------------+ | Ports | Only https port 443 supported. | +----------------------------------+----------------------------------+ | SSL / TLS | Only TLSv1.2+ supported | +----------------------------------+----------------------------------+ | Ciphers | Only HIGH SSLCipherSuite | | | supported | +----------------------------------+----------------------------------+ | Certificates | System is installed with a self | | | signed certificate. Customer may | | | install their own signed | | | certificate through the admin | | | menu. | +----------------------------------+----------------------------------+ | Denial of Service Mitigations | Mod_qos is installed and | | | configured to fight slowloris. | +----------------------------------+----------------------------------+ Tenable.io, nmap vulnerability, and sslcans are consistently updated and run weekly on our product to ensure that we have the best possible settings for our web server. Scans -------- The platform was scanned with an external openscap tool using the DISA STIG specification for RHEL7. Refer to *Scan Results* in this document. Because our operating system is proprietary, there is no specification designed specifically for our operating system so we used the DISA STIG specification for RHEL7 as reference. Both the openscap tool and the specification are external and not controlled by VOSS. We also scan our system within VOSS using Tenable.io on a daily basis. DISA STIG refers to an organization (DISA — Defense Information Systems Agency) that provides technical guides (STIG — Security Technical Implementation Guide).  The Rhel7 specification we used was provided by the Defense Information Systems Agency. Many of the modules could not be validated as the operating system is not Redhat Packages ============ .. raw:: latex Refer to the VOSS Insights Open Source License Usage document for the list of packages, versions and licenses used in VOSS Insights. .. raw:: html

Refer to Open Source License Usage for the list of packages, versions and licenses used in VOSS Insights.

.. .. toctree:: .. :maxdepth: 1 .. /src/user/Insights-Licenses/Insights-ProductPackages-arbitrator .. /src/user/Insights-Licenses/Insights-ProductPackages-dashboard .. /src/user/Insights-Licenses/Insights-ProductPackages-ds9 Scan Results =============== The tables below show the scan results of the external openscap tool using the DISA STIG specification for RHEL7. Where the result is False, Unknown or Error, the **Response** column provides details. False ------ .. ... :file: disa-stig-rhel7-v3r10-xccdf-scap-false.csv .. tabularcolumns:: |\Yl{0.3}|\Yl{0.3}|\Yl{0.2}|\Yl{0.2}| .. csv-table:: False :class: longtable :header: "ID","Reference ID","Title","Response" :widths: 3 3 2 2 "oval:mil.disa.stig.rhel7:def: 95733","","The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.","Not supported." "oval:mil.disa.stig.rhel7:def: 95731","","The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full.","Not supported." "oval:mil.disa.stig.rhel7:def: 95729","","The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon.","Not supported." "oval:mil.disa.stig.rhel7:def: 95715","","Verify /etc/pam.d/system-auth is included in /etc/pam.d/passwd","Pam module not installed." "oval:mil.disa.stig.rhel7:def: 93705","","Audit Kernel Module Creation - create _module","Kernel does not support modules." "oval:mil.disa.stig.rhel7:def: 92521","","RHEL-07-040201 - The Red Hat Enterprise Linux operating system must implement virtual address space randomization.","ASLR is enabled." "oval:mil.disa.stig.rhel7:def: 92519","","Require authentication upon booting into single-user and maintenance modes.","Password is required." "oval:mil.disa.stig.rhel7:def: 92517","","Disable dccp Kernel Module","DCCP is not enabled." "oval:mil.disa.stig.rhel7:def: 885","[CCE-27394-6] [auditd _data _retention _action _mail _acct]","Auditd Email Account to Notify Upon Action","Auditd is not installed." "oval:mil.disa.stig.rhel7:def: 87815","","The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.","Not supported." "oval:mil.disa.stig.rhel7:def: 878","[CCE-80431-0] [audit _rules _usergroup _modification _shadow]","Audit User/Group Modification (/etc/shadow)","Root readable writable." "oval:mil.disa.stig.rhel7:def: 875","[CCE-80435-1] [audit _rules _usergroup _modification _passwd]","Audit User/Group Modification (/etc/passwd)","Root readable writable." "oval:mil.disa.stig.rhel7:def: 872","[CCE-80430-2] [audit _rules _usergroup _modification _opasswd]","Audit User/Group Modification (opasswd)","Not supported." "oval:mil.disa.stig.rhel7:def: 87057","","The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.","Pam module not installed." "oval:mil.disa.stig.rhel7:def: 86943","","The ipv6.disable Kernel Boot Option Check","Not disabled." "oval:mil.disa.stig.rhel7:def: 869","[CCE-80432-8] [audit _rules _usergroup _modification _gshadow]","Audit User/Group Modification (gshadow)","Not supported." "oval:mil.disa.stig.rhel7:def: 86815","","Ensure auditd Collects Information on the Use of Privileged Commands - kmod","Auditd is not installed." "oval:mil.disa.stig.rhel7:def: 86765","","Record Any Attempts to Run setfiles","setfiles not installed." "oval:mil.disa.stig.rhel7:def: 86715","","The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.","Not supported." "oval:mil.disa.stig.rhel7:def: 86711","","The audit system must take appropriate action when the audit storage volume is full.","System has various logrotation policies, db deletion policies to help keeping disk not full." "oval:mil.disa.stig.rhel7:def: 86709","","The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.","Auditd is not installed." "oval:mil.disa.stig.rhel7:def: 86707","","The operating system must off-load audit records onto a different system or media from the system being audited.","Not supported." "oval:mil.disa.stig.rhel7:def: 86703","[CCE-27407-6]","The audit service must be running.","Not supported." "oval:mil.disa.stig.rhel7:def: 86689","[CCE-27173-4]","The system must use a separate file system for /tmp (or equivalent).","Not supported." "oval:mil.disa.stig.rhel7:def: 86639","","The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file.","True. No additional uses may be added to system." "oval:mil.disa.stig.rhel7:def: 866","[CCE-80433-6] [audit _rules _usergroup _modification _group]","Audit User/Group Modification (/etc/group)","Root readable writable." "oval:mil.disa.stig.rhel7:def: 86555","","Passwords must be restricted to a 60-day maximum lifetime.","Not supported. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 805","[CCE-80386-6] [audit _rules _unsuccessful _file _modification _open] [audit _rules _unsuccessful _file _modification _open]","RHEL-07-030510 - The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open _by _handle _at, truncate and ftruncate syscalls.","Commands not installed." "oval:mil.disa.stig.rhel7:def: 776","[CCE-80381-7] [audit _rules _system _shutdown]","Shutdown System When Auditing Failures Occur","Not supported." "oval:mil.disa.stig.rhel7:def: 773","[CCE-27461-3] [audit _rules _sysadmin _actions]","Audit System Administrator Actions","System Administrator is restricted through admin shell." "oval:mil.disa.stig.rhel7:def: 763","[CCE-80399-9] [audit _rules _privileged _commands _userhelper]","Ensure auditd Collects Information on the Use of Privileged Commands - userhelper","Not supported. Command not installed." "oval:mil.disa.stig.rhel7:def: 760","[CCE-80396-5] [audit _rules _privileged _commands _unix _chkpwd]","Ensure auditd Collects Information on the Use of Privileged Commands - unix _chkpwd","Not supported. Command not installed." "oval:mil.disa.stig.rhel7:def: 757","[CCE-80405-4] [audit _rules _privileged _commands _umount]","Ensure auditd Collects Information on the Use of Privileged Commands - umount","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 751","[CCE-80401-3] [audit _rules _privileged _commands _sudo]","Ensure auditd Collects Information on the Use of Privileged Commands - sudo","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 748","[CCE-80400-5] [audit _rules _privileged _commands _su]","Ensure auditd Collects Information on the Use of Privileged Commands - su","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 745","[CCE-80408-8] [audit _rules _privileged _commands _ssh _keysign]","Ensure auditd Collects Information on the Use of Privileged Commands - ssh _keysign","Not supported." "oval:mil.disa.stig.rhel7:def: 739","[CCE-80407-0] [audit _rules _privileged _commands _postqueue]","Ensure auditd Collects Information on the Use of Privileged Commands - postqueue","Not supported." "oval:mil.disa.stig.rhel7:def: 736","[CCE-80406-2] [audit _rules _privileged _commands _postdrop]","Ensure auditd Collects Information on the Use of Privileged Commands - postdrop","Not supported." "oval:mil.disa.stig.rhel7:def: 733","[CCE-80395-7] [audit _rules _privileged _commands _passwd]","Ensure auditd Collects Information on the Use of Privileged Commands - passwd","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 730","[CCE-80411-2] [audit _rules _privileged _commands _pam _timestamp _check]","Ensure auditd Collects Information on the Use of Privileged Commands - pam _timestamp _check","Not supported." "oval:mil.disa.stig.rhel7:def: 727","[CCE-80403-9] [audit _rules _privileged _commands _newgrp]","Ensure auditd Collects Information on the Use of Privileged Commands - newgrp","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 724","[CCE-80397-3] [audit _rules _privileged _commands _gpasswd]","Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 721","[CCE-80410-4] [audit _rules _privileged _commands _crontab]","Ensure auditd Collects Information on the Use of Privileged Commands - crontab","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 718","[CCE-80404-7] [audit _rules _privileged _commands _chsh]","Ensure auditd Collects Information on the Use of Privileged Commands - chsh","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 715","[CCE-80398-1] [audit _rules _privileged _commands _chage]","Ensure auditd Collects Information on the Use of Privileged Commands - chage","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 710","[audit _rules _privileged _commands]","The Red Hat EnterpriseLinux Operating system must audit all executions of privileged functions.","Not supported." "oval:mil.disa.stig.rhel7:def: 686","[CCE-27447-2] [audit _rules _media _export]","The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.","Not supported." "oval:mil.disa.stig.rhel7:def: 676","[CCE-80384-1] [audit _rules _login _events _lastlog]","Record Attempts to Alter Login and Logout Events - lastlog","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 675","[CCE-80383-3] [audit _rules _login _events _faillock]","Record Attempts to Alter Login and Logout Events - faillock","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 658","[CCE-80415-3] [audit _rules _kernel _module _loading _delete]","Audit Kernel Module Loading and Unloading - delete _module","Not supported. Command not installed." "oval:mil.disa.stig.rhel7:def: 657","[CCE-80414-6] [audit _rules _kernel _module _loading _init]","RHEL-07-030820 - The Red Hat Enterprise Linux operating system must audit all uses of the init _module and finit _module syscalls.","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 626","[CCE-27206-2] [audit _rules _file _deletion _events _unlink]","RHEL-07-030910 - The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls.","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 621","[CCE-80392-4] [audit _rules _execution _setsebool]","Record Any Attempts to Run setsebool","Not supported. Command not installed." "oval:mil.disa.stig.rhel7:def: 618","[CCE-80391-6] [audit _rules _execution _semanage]","Record Any Attempts to Run semanage","Not supported. Command not installed." "oval:mil.disa.stig.rhel7:def: 612","[CCE-80393-2] [audit _rules _execution _chcon]","Record Any Attempts to Run chcon","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 607","[CCE-27213-8] [audit _rules _dac _modification _setxattr]","RHEL-07-030440 - The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr and lremovexattr syscalls.","Not supported. Command not installed." "oval:mil.disa.stig.rhel7:def: 552","[CCE-27364-9] [audit _rules _dac _modification _chown]","RHEL-07-030370 - The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat and lchown syscalls.","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 546","[CCE-27339-1] [audit _rules _dac _modification _chmod]","RHEL-07-030410 - The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod and fchmodat syscalls.","Not supported. Only available to root. Root account is restricted." "oval:mil.disa.stig.rhel7:def: 544","[audit _rules _augenrules]","Check use of augenrules","Not supported. Command not installed." "oval:mil.disa.stig.rhel7:def: 542","[audit _rules _auditctl]","Check use of auditctl","Not supported. Command not installed." "oval:mil.disa.stig.rhel7:def: 525","[CCE-26952-2] [aide _periodic _cron _checking]","Configure Periodic Execution of AIDE","Not supported. Command not installed." "oval:mil.disa.stig.rhel7:def: 518","[CCE-80205-8] [accounts _umask _etc _login _defs]","RHEL-07-020240 - The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.","Not supported. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 510","[accounts _tmout]","RHEL-07-040160 - The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.","Not supported. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 486","[accounts _password _pam _unix _remember] [CCE-26923-3]","Limit Password Reuse","supported. Only a limited number of accounts on system." "oval:mil.disa.stig.rhel7:def: 484","[CCE-27200-5] [accounts _password _pam _ucredit]","Set Password ucredit Requirements","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 481","[CCE-27160-1] [accounts _password _pam _retry]","Set Password retry Requirements","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 478","[CCE-27360-7] [accounts _password _pam _ocredit]","Set Password ocredit Requirements","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 476","[CCE-27293-0] [accounts _password _pam _minlen]","Set Password minlen Requirements","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 474","[CCE-27115-5] [accounts _password _pam _minclass]","Set Password minclass Requirements","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 472","[CCE-27333-4] [accounts _password _pam _maxrepeat]","Set Password maxrepeat Requirements","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 470","[CCE-27512-3] [accounts _password _pam _maxclassrepeat]","The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 468","[CCE-27345-8] [accounts _password _pam _lcredit]","Set Password lcredit Requirements","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 466","[CCE-26631-2] [accounts _password _pam _difok]","Set Password difok Requirements","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 464","[accounts _password _pam _pwquality]","Check pam _pwquality Existence in system-auth","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 463","[CCE-27214-6] [accounts _password _pam _dcredit]","Set Password dcredit Requirements","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 449","[CCE-27081-9] [accounts _max _concurrent _login _sessions]","Set Maximum Number of Concurrent Login Sessions Per User","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 443","[CCE-27471-2] [account _disable _post _pw _expiration]","The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.","Not supported. Pam not installed. No additional users may be added to the system." "oval:mil.disa.stig.rhel7:def: 304","[sysctl _static _net _ipv6 _conf _all _accept _source _route]","Kernel net.ipv6.conf .all.accept _source _route Parameter Configuration Check","net.ipv6.conf .default.accept _source _route = 0" "oval:mil.disa.stig.rhel7:def: 303","[CCE-80179-5] [sysctl _net _ipv6 _conf _all _accept _source _route]","Kernel net.ipv6.conf .all.accept _source _route Parameter Configuration and Runtime Check","net.ipv6.conf .default.accept _source _route = 0" "oval:mil.disa.stig.rhel7:def: 297","[sysctl _kernel _ipv6 _disable]","Kernel Runtime Parameter IPv6 Check","net.ipv6.conf .all.disable _ipv6 = 0" "oval:mil.disa.stig.rhel7:def: 285","[sysctl _static _net _ipv4 _icmp _echo _ignore _broadcasts]","Kernel net.ipv4.icmp _echo _ignore _broadcasts Parameter Configuration Check","net.ipv4.icmp _echo _ignore _broadcasts = 1" "oval:mil.disa.stig.rhel7:def: 284","[CCE-80165-4] [sysctl _net _ipv4 _icmp _echo _ignore _broadcasts]","Kernel net.ipv4.icmp _echo _ignore _broadcasts Parameter Configuration and Runtime Check","net.ipv4.icmp _echo _ignore _broadcasts = 1" "oval:mil.disa.stig.rhel7:def: 283","[sysctl _runtime _net _ipv4 _conf _default _send _redirects]","Kernel net.ipv4.conf .default.send _redirects Parameter Runtime Check","net.ipv4.conf .default.send _redirects = 1" "oval:mil.disa.stig.rhel7:def: 282","[sysctl _static _net _ipv4 _conf _default _send _redirects]","Kernel net.ipv4.conf .default.send _redirects Parameter Configuration Check","net.ipv4.conf .default.send _redirects = 1" "oval:mil.disa.stig.rhel7:def: 281","[CCE-80156-3] [sysctl _net _ipv4 _conf _default _send _redirects]","Kernel net.ipv4.conf. default.send _redirects Parameter Configuration and Runtime Check","net.ipv4.conf. default.send _redirects = 1" "oval:mil.disa.stig.rhel7:def: 271","[sysctl _runtime _net _ipv4 _conf _default _accept _source _route]","Kernel net.ipv4.conf .default.accept _source _route Parameter Runtime Check","net.ipv4.conf .all.accept _source _route = 0" "oval:mil.disa.stig.rhel7:def: 270","[sysctl _static _net _ipv4 _conf _default _accept _source _route]","Kernel net.ipv4.conf .default.accept _source _route Parameter Configuration Check","net.ipv4.conf .all.accept _source _route = 0" "oval:mil.disa.stig.rhel7:def: 269","[CCE-80162-1] [sysctl _net _ipv4 _conf _default _accept _source _route]","Kernel net.ipv4.conf .default.accept _source _route Parameter Configuration and Runtime Check","net.ipv4.conf .all.accept _source _route = 0" "oval:mil.disa.stig.rhel7:def: 266","[CCE-80163-9] [sysctl _net _ipv4 _conf _default _accept _redirects]","The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.","net.ipv4.conf .all.accept _redirects = 0" "oval:mil.disa.stig.rhel7:def: 263","[CCE-80156-3] [sysctl _net _ipv4 _conf _all _send _redirects]","The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.","net.ipv4.conf .all.accept _redirects = 0" "oval:mil.disa.stig.rhel7:def: 179","","RHEL-07-010343 - The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command.","Not applicable. No additional uses may be added to the system." "oval:mil.disa.stig.rhel7:def: 178","","RHEL-07-010342 - The Red Hat Enterprise Linux operating system must use the invoking user password for privilege escalation when using sudo.","Not applicable. No additional uses may be added to the system." "oval:mil.disa.stig.rhel7:def: 176","[CCE-80351-0] [sudo _remove _nopasswd]","Ensure NOPASSWD Is Not Used in Sudo","sudoers file is not editable without root access." "oval:mil.disa.stig.rhel7:def: 169","[CCE-80349-4]","RHEL-07-020250 - The Red Hat Enterprise Linux operating system must be a vendor supported release","Not Red Hat." "oval:mil.disa.stig.rhel7:def: 1428","[system _info _architecture _ppc _64]","Test for PPC and PPCLE Architecture","Not supported." "oval:mil.disa.stig.rhel7:def: 1417","[sysctl _runtime _net _ipv6 _conf _all _disable _ipv6]","Kernel net.ipv6.conf .all.disable _ipv6 Parameter Runtime Check","net.ipv6.conf .all.disable _ipv6 = 0" "oval:mil.disa.stig.rhel7:def: 1416","[sysctl _static _net _ipv6 _conf _all _disable _ipv6]","Kernel net.ipv6.conf .all.disable _ipv6 Parameter Configuration Check","net.ipv6.conf .all.disable _ipv6 = 0" "oval:mil.disa.stig.rhel7:def: 1405","[CCE-80437-7] [sssd _enable _pam _services]","Configure PAM in SSSD Services","Pam module not installed." "oval:mil.disa.stig.rhel7:def: 1367","[CCE-27104-9] [set _password _hashing _algorithm _systemauth]","Set Password Hashing Algorithm in /etc/pam.d/system-auth","Pam module not installed." "oval:mil.disa.stig.rhel7:def: 1363","[CCE-27053-8] [set _password _hashing _algorithm _libuserconf]","Set SHA512 Password Hashing Algorithm in /etc/libuser.conf","Pam module not installed." "oval:mil.disa.stig.rhel7:def: 1319","[CCE-26971-2] [partition _for _var _log _audit]","Ensure /var/log/audit Located On Separate Partition","Not applicable." "oval:mil.disa.stig.rhel7:def: 1315","[CCE-26404-4] [partition _for _var]","Ensure /var Located On Separate Partition","Not applicable." "oval:mil.disa.stig.rhel7:def: 1311","[CCE-80144-9] [partition _for _home]","Ensure /home Located On Separate Partition","Not applicable." "oval:mil.disa.stig.rhel7:def: 126","[CCE-80359-3] [grub2 _enable _fips _mode]","Enable FIPS Mode in GRUB2","" "oval:mil.disa.stig.rhel7:def: 1141","[kernel _module _usb-storage _disabled]","Disable usb-storage Kernel Module","Kernel does not support modules." "oval:mil.disa.stig.rhel7:def: 1117","[CCE-27503-2] [gid _passwd _group _same]","All GIDs Are Present In /etc/group","1" "oval:mil.disa.stig.rhel7:def: 110","[CCE-80347-8] [ensure _gpgcheck _local _packages]","Ensure gpgcheck Enabled for Local Packages","gpgcheck not supported." "oval:mil.disa.stig.rhel7:def: 108","[CCE-80346-0] [clean _components _post _updating]","Ensure YUM Removes Previous Package Versions","YUM is not supported." "oval:mil.disa.stig.rhel7:def: 1027","[CCE-26989-4] [ensure _gpgcheck _globally _activated]","Ensure Yum gpgcheck Globally Activated","YUM is not supported." "oval:mil.disa.stig.rhel7:def: 1020","[display _login _attempts]","The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.","1" Unknown --------- .. ... :file: disa-stig-rhel7-v3r10-xccdf-scap-unknown.csv .. tabularcolumns:: |\Yl{0.3}|\Yl{0.3}|\Yl{0.2}|\Yl{0.2}| .. csv-table:: Unknown :class: longtable :header: "ID","Reference ID","Title","Response" :widths: 3 3 2 2 "oval:mil.disa.stig.rhel7:def: 999","[CCE-80371-8]","Gnome lock-delay setting lock","Gnome or X11 UI package not installed." "oval:mil.disa.stig.rhel7:def: 988","[CCE-80112-6] [dconf _gnome _screensaver _lock _enabled]","Enable GNOME3 Screensaver Lock After Idle Period","Gnome or X11 UI package not installed." "oval:mil.disa.stig.rhel7:def: 985","[CCE-80370-0] [dconf _gnome _screensaver _lock _delay]","Enable GNOME3 Screensaver Lock Delay After Idle Period","Gnome or X11 UI package not installed." "oval:mil.disa.stig.rhel7:def: 981","[CCE-80110-0] [dconf _gnome _screensaver _idle _delay]","Configure the GNOME3 GUI Screen locking","Gnome or X11 UI package not installed." "oval:mil.disa.stig.rhel7:def: 978","[CCE-80111-8] [dconf _gnome _screensaver _idle _activation _enabled]","Enable GNOME3 Screensaver Idle Activation","Gnome or X11 UI package not installed." "oval:mil.disa.stig.rhel7:def: 93703","[package _vsftpd _removed]","The operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.","Gnome or X11 UI package not installed." "oval:mil.disa.stig.rhel7:def: 92515",,"Smartcard authentication enabled for graphical user logon.","Gnome or X11 UI package not installed." "oval:mil.disa.stig.rhel7:def: 924","[enable _dconf _user _profile]","Implement Local DB for DConf User Profile","Not applicable." "oval:mil.disa.stig.rhel7:def: 923","[package _dconf _installed]","Package dconf Installed","Not applicable." "oval:mil.disa.stig.rhel7:def: 922","[CCE-26970-4] [dconf _gnome _banner _enabled]","Enable GNOME3 Login Warning Banner","Gnome or X11 UI package not installed." "oval:mil.disa.stig.rhel7:def: 87041","","The operating system must have the required packages for multifactor authentication installed.","Multifactor not supportted." "oval:mil.disa.stig.rhel7:def: 86875","","Package openssh-server is version 7.4 or higher","openssh 9.0 installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 526","[package _aide _installed]","Package aide Installed","Not installed." "oval:mil.disa.stig.rhel7:def: 4248","[package _openssh-server _installed] [CCE-80215-7]","Package openssh-server Installed","openssh 9.0 installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 171","[CCE-80223-1] [sshd _use _priv _separation]","Use Privilege Separation","UsePrivilegeSeparation yes" "oval:mil.disa.stig.rhel7:def: 168","[CCE-27455-5] [sshd _use _approved _macs]","RHEL-07-040400 - The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms","Configurable by customer through admin ui." "oval:mil.disa.stig.rhel7:def: 166","[CCE-80225-6] [sshd _print _last _log]","The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon SSH logon.",1 "oval:mil.disa.stig.rhel7:def: 164","[CCE-80222-3] [sshd _enable _strictmodes]","Enable SSH Server Strict Mode","StrictModes yes" "oval:mil.disa.stig.rhel7:def: 162","[CCE-80221-5] [sshd _disable _kerb _auth]","Disable Kerberos Authentication","Configurable by customer through admin ui." "oval:mil.disa.stig.rhel7:def: 160","[CCE-80220-7] [sshd _disable _gssapi _auth]","Disable GSSAPI Authentication","Configurable by customer through admin ui." "oval:mil.disa.stig.rhel7:def: 156","[package _openssh-server _removed]","Package openssh-server Removed","openssh 9.0 installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 1399","[CCE-27295-5] [sshd _use _approved _ciphers]","RHEL-07-040110 - The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections","Configurable by customer through admin ui." "oval:mil.disa.stig.rhel7:def: 1393","[CCE-27082-7] [sshd _set _keepalive]","Set ClientAliveCountMax for User Logins","ClientAliveInterval 600" "oval:mil.disa.stig.rhel7:def: 1389","[CCE-80226-4] [sshd _enable _forwarding]","RHEL-07-040710 - Disable X11 Forwarding","Gnome or X11 UI package not installed." "oval:mil.disa.stig.rhel7:def: 1385","[CCE-27363-1] [sshd _do _not _permit _user _env]","Do Not Allow Users to Set Environment Options","X11Forwarding no" "oval:mil.disa.stig.rhel7:def: 1383","[CCE-80372-6] [sshd _disable _user _known _hosts]","Disable SSH Support for User Known Hosts","IgnoreUserKnownHosts no" "oval:mil.disa.stig.rhel7:def: 1381","[CCE-27445-6] [sshd _disable _root _login]","Disable root Login via SSH","Root ssh not supportted." "oval:mil.disa.stig.rhel7:def: 1379","[CCE-80373-4] [sshd _disable _rhosts _rsa]","Disable SSH Support for Rhosts RSA Authentication","RhostsRSAAuthentication no" "oval:mil.disa.stig.rhel7:def: 1377","[CCE-27377-1] [sshd _disable _rhosts]","Disable .rhosts Files","IgnoreRhosts yes" "oval:mil.disa.stig.rhel7:def: 1340","[CCE-27157-7] [rpm _verify _hashes]","Verify File Hashes with RPM","RPM not supporttted" "oval:mil.disa.stig.rhel7:def: 1309","[CCE-27399-5] [package _ypserv _removed]","Package ypserv Removed","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 1305","[CCE-27218-7] [package _xorg-x11-server-common _removed]","Package xorg-x11-server-common Removed","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 1301","[package _vsftpd _removed]","Package vsftpd Removed","vsftpd required for some customers." "oval:mil.disa.stig.rhel7:def: 1296","[CCE-80213-2] [package _tftp-server _removed]","Package tftp-server Removed","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 1292","[package _telnet-server _removed] [CCE-27165-0]","Package telnet-server Removed","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 128","[package _dracut-fips _installed]","Package dracut-fips Installed","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 1271","[CCE-27342-5] [package _rsh-server _removed]","Package rsh-server Removed","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 127","[disable _prelink]","Disable Prelinking","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 1264","[package _net-snmp _removed]","Package net-snmp Removed","net-snmp required for some customers." "oval:mil.disa.stig.rhel7:def: 1122","[CCE-80105-0] [gnome _gdm _disable _guest _login]","Disable GDM Guest Login","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 1120","[package _gdm _installed]","Package gdm Installed","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 1119","[CCE-80104-3] [gnome _gdm _disable _automatic _login]","Disable GDM Automatic Login","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 1017","[package _prelink _removed]","Package prelink Removed","Package not installed. (See open source package listing)" "oval:mil.disa.stig.rhel7:def: 1011","[CCE-27413-4] [disable _host _auth]","Disable Host-Based Authentication","Pam module not installed." "oval:mil.disa.stig.rhel7:def: 1","[cpe:/o:redhat:enterprise _linux:7] [installed _OS _is _rhel7]","Red Hat Enterprise Linux 7","Not Red Hat." Error --------------- .. ... :file: disa-stig-rhel7-v3r10-xccdf-scap-error.csv .. tabularcolumns:: |\Yl{0.3}|\Yl{0.3}|\Yl{0.2}|\Yl{0.2}| .. csv-table:: Error :class: longtable :header: "ID","Reference ID","Title","Response" :widths: 3 3 2 2 "oval:mil.disa.stig.rhel7:def: 455","[CCE-27002-5] [accounts _minimum _age _login _defs]","Set Password Expiration Parameters","Default settings. No additional users may be added." "oval:mil.disa.stig.rhel7:def: 453","[CCE-27051-2] [accounts _maximum _age _login _defs]","Set Password Expiration Parameters","Default settings. No additional users may be added." "oval:mil.disa.stig.rhel7:def: 305","[sysctl_runtime _net _ipv6 _conf _all _accept _source _route]","Kernel net.ipv6.conf .all.accept _source _route Parameter Runtime Check","net.ipv4.conf .all.accept _source _route = 0" "oval:mil.disa.stig.rhel7:def: 286","[sysctl _runtime _net _ipv4 _icmp _echo _ignore _broadcasts]","Kernel net.ipv4.icmp _echo _ignore _broadcasts Parameter Runtime Check","net.ipv4.icmp _echo _ignore _broadcasts = 1" "oval:mil.disa.stig.rhel7:def: 1391","[CCE-27433-2] [sshd _set _idle _timeout]","Set OpenSSH Idle Timeout Interval","ClientAliveInterval 600" "oval:mil.disa.stig.rhel7:def: 101","[CCE-80352-8] [accounts _logon _fail _delay]","Ensure that FAIL_DELAY is Configured in /etc/login.defs","FAIL_DELAY 3" True ------ No response provided. .. ... :file: disa-stig-rhel7-v3r10-xccdf-scap-true.csv .. tabularcolumns:: |\Yl{0.3}|\Yl{0.3}|\Yl{0.4}| .. csv-table:: True :class: longtable :header: "ID","Reference ID","Title" :widths: 3 3 4 "oval:mil.disa.stig.rhel7:def: 95719","[CCE-80354-4]","Set the UEFI Boot Loader Password" "oval:mil.disa.stig.rhel7:def: 95717","[CCE-27309-4]","Set Boot Loader Password (BIOS) for RHEL 7.2 and up" "oval:mil.disa.stig.rhel7:def: 86903","","There must be no shosts.equiv files on the system." "oval:mil.disa.stig.rhel7:def: 86901","","There must be no .shosts files on the system." "oval:mil.disa.stig.rhel7:def: 86635","","The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file." "oval:mil.disa.stig.rhel7:def: 86609","[CCE-27498-5]","File system automounter must be disabled unless required." "oval:mil.disa.stig.rhel7:def: 86551","","Passwords must be restricted to a 1 day minimum lifetime." "oval:mil.disa.stig.rhel7:def: 548","[system _info _architecture _64bit]","Test for 64-bit Architecture" "oval:mil.disa.stig.rhel7:def: 457","[CCE-27175-9] [accounts _no _uid _except _zero]","UID 0 Belongs Only To Root" "oval:mil.disa.stig.rhel7:def: 447","[CCE-80434-4] [accounts _have _homedir _login _defs]","Ensure new users receive home directories" "oval:mil.disa.stig.rhel7:def: 292","[sysctl _runtime _net _ipv4 _ip _forward]","Kernel net.ipv4.ip _forward Parameter Runtime Check" "oval:mil.disa.stig.rhel7:def: 291","[sysctl _static _net _ipv4 _ip _forward]","Kernel net.ipv4.ip _forward Parameter Configuration Check" "oval:mil.disa.stig.rhel7:def: 290","[CCE-80157-1] [sysctl _net _ipv4 _ip _forward]","Kernel net.ipv4.ip _forward Parameter Configuration and Runtime Check" "oval:mil.disa.stig.rhel7:def: 251","[CCE-27434-0] [sysctl _net _ipv4 _conf _all _accept _source _route]","Kernel net.ipv4.conf.all.accept _source _route Parameter Configuration and Runtime Check" "oval:mil.disa.stig.rhel7:def: 250","[sysctl _runtime _net _ipv4 _conf _all _accept _redirects]","Kernel net.ipv4.conf.all.accept _redirects Parameter Runtime Check" "oval:mil.disa.stig.rhel7:def: 249","[sysctl _static _net _ipv4 _conf _all _accept _redirects]","Kernel net.ipv4.conf.all.accept _redirects Parameter Configuration Check" "oval:mil.disa.stig.rhel7:def: 248","[CCE-80158-9] [sysctl _net _ipv4 _conf _all _accept _redirects]","Kernel net.ipv4.conf.all.accept _redirects Parameter Configuration and Runtime Check" "oval:mil.disa.stig.rhel7:def: 177","","RHEL-07-010341 - The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel." "oval:mil.disa.stig.rhel7:def: 173","[CCE-80350-2] [sudo _remove _no _authenticate]","Ensure !authenticate Is Not Used in Sudo" "oval:mil.disa.stig.rhel7:def: 158","[CCE-80224-9] [sshd _disable _compression]","Disable Compression Or Set Compression to delayed" "oval:mil.disa.stig.rhel7:def: 1427","[system _info _architecture _x86 _64]","Test for x86 _64 Architecture" "oval:mil.disa.stig.rhel7:def: 1375","[CCE-27471-2] [sshd _disable _empty _passwords]","Disable Empty Passwords" "oval:mil.disa.stig.rhel7:def: 1373","[CCE-27320-1] [sshd _allow _only _protocol2]","Ensure Only Protocol 2 Connections Allowed" "oval:mil.disa.stig.rhel7:def: 1369","[CCE-27386-2] [snmpd _not _default _password]","SNMP default communities disabled" "oval:mil.disa.stig.rhel7:def: 1365","[CCE-27124-7] [set _password _hashing _algorithm _logindefs]","Set SHA512 Password Hashing Algorithm in /etc/login.defs" "oval:mil.disa.stig.rhel7:def: 1229","[CCE-27286-4] [no _empty _passwords]","The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords." "oval:mil.disa.stig.rhel7:def: 120","[CCE-27311-0] [file _permissions _sshd _pub _key]","SSHD Service Public Key Permissions" "oval:mil.disa.stig.rhel7:def: 1186","[CCE-80240-5] [mount _option _nosuid _remote _filesystems]","Mount Remote Filesystems with nosuid" "oval:mil.disa.stig.rhel7:def: 118","[CCE-27485-2] [file _permissions _sshd _private _key]","RHEL-07-040420 - The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive." "oval:mil.disa.stig.rhel7:def: 1178","[CCE-80436-9] [mount _option _noexec _remote _filesystems]","Mount Remote Filesystems with noexec" "oval:mil.disa.stig.rhel7:def: 116","[CCE-80378-3] [file _owner _cron _allow]","Verify user who owns cron.allow file" "oval:mil.disa.stig.rhel7:def: 114","[CCE-80379-1] [file _groupowner _cron _allow]","Verify group who owns cron.allow file" "oval:mil.disa.stig.rhel7:def: 1009","[CCE-80136-5] [dir _perms _world _writable _system _owned]","Find world writable directories not group-owned by a system account"