From 2425856c1c52d080249c905811ec8c0beaacc9c5 Mon Sep 17 00:00:00 2001 From: Tom Camp Date: Wed, 20 May 2020 08:24:10 -0600 Subject: [PATCH] Updating tailoring. --- appendices/justifications.md | 235 --------------------------- keys/justifications.yaml | 149 +---------------- tailoring/tailoring.xml | 20 +++ templates/tailoring/tailoring.xml.j2 | 10 +- 4 files changed, 30 insertions(+), 384 deletions(-) create mode 100644 tailoring/tailoring.xml diff --git a/appendices/justifications.md b/appendices/justifications.md index f5e88d4..886c454 100644 --- a/appendices/justifications.md +++ b/appendices/justifications.md @@ -22,218 +22,23 @@ - Rule ID: _xccdf_org.ssgproject.content_rule_install_antivirus_ - None -#### Verify and Correct File Permissions with RPM - -- Rule ID: _xccdf_org.ssgproject.content_rule_rpm_verify_permissions_ -- None - -#### Verify and Correct Ownership with RPM - -- Rule ID: _xccdf_org.ssgproject.content_rule_rpm_verify_ownership_ -- None - ### MEDIUM impact tailored controls -#### Ensure Logs Sent To Remote Host - -- Rule ID: _xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost_ -- None - -#### Ensure Logrotate Runs Periodically - -- Rule ID: _xccdf_org.ssgproject.content_rule_ensure_logrotate_activated_ -- None - -#### Ensure System Log Files Have Correct Permissions - -- Rule ID: _xccdf_org.ssgproject.content_rule_rsyslog_files_permissions_ -- None - -#### Install libreswan Package - -- Rule ID: _xccdf_org.ssgproject.content_rule_package_libreswan_installed_ -- None - -#### Verify ip6tables Enabled if Using IPv6 - -- Rule ID: _xccdf_org.ssgproject.content_rule_service_ip6tables_enabled_ -- None - -#### Set Default ip6tables Policy for Incoming Packets - -- Rule ID: _xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule_ -- None - -#### Set Default iptables Policy for Forwarded Packets - -- Rule ID: _xccdf_org.ssgproject.content_rule_set_iptables_default_rule_forward_ -- None - #### Disable Bluetooth Kernel Module - Rule ID: _xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled_ - None -#### Set Boot Loader Password in grub.conf - -- Rule ID: _xccdf_org.ssgproject.content_rule_grub_legacy_password_ -- None - -#### Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool - -- Rule ID: _xccdf_org.ssgproject.content_rule_kernel_disable_entropy_contribution_for_solid_state_drives_ -- None - -#### Ensure that System Accounts Do Not Run a Shell Upon Login - -- Rule ID: _xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts_ -- None - -#### Set Password Minimum Length in login.defs - -- Rule ID: _xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs_ -- None - -#### Require Authentication for Single User Mode - -- Rule ID: _xccdf_org.ssgproject.content_rule_require_singleuser_auth_ -- None - #### Enable Smart Card Login - Rule ID: _xccdf_org.ssgproject.content_rule_smartcard_auth_ - None -#### Set Interactive Session Timeout - -- Rule ID: _xccdf_org.ssgproject.content_rule_accounts_tmout_ -- None - -#### Modify the System Login Banner - -- Rule ID: _xccdf_org.ssgproject.content_rule_banner_etc_issue_ -- None - -#### Set Lockout Time for Failed Password Attempts - -- Rule ID: _xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time_ -- None - -#### Limit Password Reuse - -- Rule ID: _xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember_ -- None - -#### Set Interval For Counting Failed Password Attempts - -- Rule ID: _xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval_ -- None - -#### Set Deny For Failed Password Attempts - -- Rule ID: _xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_ -- None - -#### Ensure All Files Are Owned by a Group - -- Rule ID: _xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned_ -- None - -#### Ensure All Files Are Owned by a User - -- Rule ID: _xccdf_org.ssgproject.content_rule_no_files_unowned_by_user_ -- None - -#### Ensure All SUID Executables Are Authorized - -- Rule ID: _xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid_ -- None - -#### Verify that All World-Writable Directories Have Sticky Bits Set - -- Rule ID: _xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits_ -- None - -#### Verify that System Executables Have Restrictive Permissions - -- Rule ID: _xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs_ -- None - -#### Verify that System Executables Have Root Ownership - -- Rule ID: _xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs_ -- None - -#### Verify that Shared Library Files Have Restrictive Permissions - -- Rule ID: _xccdf_org.ssgproject.content_rule_file_permissions_library_dirs_ -- None - -#### Enable Randomized Layout of Virtual Address Space - -- Rule ID: _xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space_ -- None - -#### Add nosuid Option to /dev/shm - -- Rule ID: _xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid_ -- None - -#### Add nodev Option to /dev/shm - -- Rule ID: _xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev_ -- None - -#### Add noexec Option to /dev/shm - -- Rule ID: _xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec_ -- None - #### Disable Modprobe Loading of USB Storage Driver - Rule ID: _xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled_ - None -#### Configure auditd Disk Full Action when Disk Space Is Full - -- Rule ID: _xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_ -- None - -#### Configure auditd space_left on Low Disk Space - -- Rule ID: _xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_ -- None - -#### Configure auditd admin_space_left Action on Low Disk Space - -- Rule ID: _xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action_ -- None - -#### Configure auditd space_left Action on Low Disk Space - -- Rule ID: _xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action_ -- None - -#### Configure auditd Disk Error Action on Disk Error - -- Rule ID: _xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_ -- None - -#### Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - -- Rule ID: _xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ -- None - -#### Ensure auditd Collects File Deletion Events by User - -- Rule ID: _xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_ -- None - -#### Ensure auditd Collects Information on the Use of Privileged Commands - -- Rule ID: _xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ -- None - #### Configure SNMP Service to Use Only SNMPv3 or Newer - Rule ID: _xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol_ @@ -244,28 +49,13 @@ - Rule ID: _xccdf_org.ssgproject.content_rule_service_abrtd_disabled_ - None -#### Set SSH Client Alive Max Count - -- Rule ID: _xccdf_org.ssgproject.content_rule_sshd_set_keepalive_ -- None - ### LOW impact tailored controls -#### Limit the Number of Concurrent Login Sessions Allowed Per User - -- Rule ID: _xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions_ -- None - #### Ensure PAM Displays Last Logon/Access Notification - Rule ID: _xccdf_org.ssgproject.content_rule_display_login_attempts_ - None -#### Uninstall openldap-servers Package - -- Rule ID: _xccdf_org.ssgproject.content_rule_package_openldap-servers_removed_ -- None - #### Disable Red Hat Network Service (rhnsd) - Rule ID: _xccdf_org.ssgproject.content_rule_service_rhnsd_disabled_ @@ -278,28 +68,3 @@ - Rule ID: _xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc_ - None -#### Ensure the Default C Shell Umask is Set Correctly - -- Rule ID: _xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc_ -- None - -#### Ensure the Default Umask is Set Correctly in /etc/profile - -- Rule ID: _xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile_ -- None - -#### Set Daemon Umask - -- Rule ID: _xccdf_org.ssgproject.content_rule_umask_for_daemons_ -- None - -#### Require Client SMB Packet Signing, if using mount.cifs - -- Rule ID: _xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing_ -- None - -#### Disable DHCP Client in ifcfg - -- Rule ID: _xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg_ -- None - diff --git a/keys/justifications.yaml b/keys/justifications.yaml index 420b56a..ffd3f81 100644 --- a/keys/justifications.yaml +++ b/keys/justifications.yaml @@ -1,7 +1,9 @@ -tailoring: auth01 -profile: xccdf_org.ssgproject.content_profile_stig-rhel7-disa_20200513 -ssg_version: 1.46 +profile: xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream_customized +ssg_version: 0.1.49 baseline: DISA STIG +benchmark: /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml +time: '2020-05-14T13:53:12' +checklist: http://checklists.nist.gov/xccdf/1.2 catalog: high: - title: Prevent Login to Accounts With Empty Password @@ -13,152 +15,26 @@ catalog: - title: Install Virus Scanning Software rule_id: xccdf_org.ssgproject.content_rule_install_antivirus justification: ~ - - title: Verify and Correct File Permissions with RPM - rule_id: xccdf_org.ssgproject.content_rule_rpm_verify_permissions - justification: ~ - - title: Verify and Correct Ownership with RPM - rule_id: xccdf_org.ssgproject.content_rule_rpm_verify_ownership - justification: ~ medium: - - title: Ensure Logs Sent To Remote Host - rule_id: xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost - justification: ~ - - title: Ensure Logrotate Runs Periodically - rule_id: xccdf_org.ssgproject.content_rule_ensure_logrotate_activated - justification: ~ - - title: Ensure System Log Files Have Correct Permissions - rule_id: xccdf_org.ssgproject.content_rule_rsyslog_files_permissions - justification: ~ - - title: Install libreswan Package - rule_id: xccdf_org.ssgproject.content_rule_package_libreswan_installed - justification: ~ - - title: Verify ip6tables Enabled if Using IPv6 - rule_id: xccdf_org.ssgproject.content_rule_service_ip6tables_enabled - justification: ~ - - title: Set Default ip6tables Policy for Incoming Packets - rule_id: xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule - justification: ~ - - title: Set Default iptables Policy for Forwarded Packets - rule_id: xccdf_org.ssgproject.content_rule_set_iptables_default_rule_forward - justification: ~ - title: Disable Bluetooth Kernel Module rule_id: xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled justification: ~ - - title: Set Boot Loader Password in grub.conf - rule_id: xccdf_org.ssgproject.content_rule_grub_legacy_password - justification: ~ - - title: Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool - rule_id: xccdf_org.ssgproject.content_rule_kernel_disable_entropy_contribution_for_solid_state_drives - justification: ~ - - title: Ensure that System Accounts Do Not Run a Shell Upon Login - rule_id: xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts - justification: ~ - - title: Set Password Minimum Length in login.defs - rule_id: xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs - justification: ~ - - title: Require Authentication for Single User Mode - rule_id: xccdf_org.ssgproject.content_rule_require_singleuser_auth - justification: ~ - title: Enable Smart Card Login rule_id: xccdf_org.ssgproject.content_rule_smartcard_auth justification: ~ - - title: Set Interactive Session Timeout - rule_id: xccdf_org.ssgproject.content_rule_accounts_tmout - justification: ~ - - title: Modify the System Login Banner - rule_id: xccdf_org.ssgproject.content_rule_banner_etc_issue - justification: ~ - - title: Set Lockout Time for Failed Password Attempts - rule_id: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time - justification: ~ - - title: Limit Password Reuse - rule_id: xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember - justification: ~ - - title: Set Interval For Counting Failed Password Attempts - rule_id: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval - justification: ~ - - title: Set Deny For Failed Password Attempts - rule_id: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny - justification: ~ - - title: Ensure All Files Are Owned by a Group - rule_id: xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned - justification: ~ - - title: Ensure All Files Are Owned by a User - rule_id: xccdf_org.ssgproject.content_rule_no_files_unowned_by_user - justification: ~ - - title: Ensure All SUID Executables Are Authorized - rule_id: xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid - justification: ~ - - title: Verify that All World-Writable Directories Have Sticky Bits Set - rule_id: xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits - justification: ~ - - title: Verify that System Executables Have Restrictive Permissions - rule_id: xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs - justification: ~ - - title: Verify that System Executables Have Root Ownership - rule_id: xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs - justification: ~ - - title: Verify that Shared Library Files Have Restrictive Permissions - rule_id: xccdf_org.ssgproject.content_rule_file_permissions_library_dirs - justification: ~ - - title: Enable Randomized Layout of Virtual Address Space - rule_id: xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space - justification: ~ - - title: Add nosuid Option to /dev/shm - rule_id: xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid - justification: ~ - - title: Add nodev Option to /dev/shm - rule_id: xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev - justification: ~ - - title: Add noexec Option to /dev/shm - rule_id: xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec - justification: ~ - title: Disable Modprobe Loading of USB Storage Driver rule_id: xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled justification: ~ - - title: Configure auditd Disk Full Action when Disk Space Is Full - rule_id: xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action - justification: ~ - - title: Configure auditd space_left on Low Disk Space - rule_id: xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left - justification: ~ - - title: Configure auditd admin_space_left Action on Low Disk Space - rule_id: xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action - justification: ~ - - title: Configure auditd space_left Action on Low Disk Space - rule_id: xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action - justification: ~ - - title: Configure auditd Disk Error Action on Disk Error - rule_id: xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action - justification: ~ - - title: Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - rule_id: xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification - justification: ~ - - title: Ensure auditd Collects File Deletion Events by User - rule_id: xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events - justification: ~ - - title: Ensure auditd Collects Information on the Use of Privileged Commands - rule_id: xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands - justification: ~ - title: Configure SNMP Service to Use Only SNMPv3 or Newer rule_id: xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol justification: ~ - title: Disable Automatic Bug Reporting Tool (abrtd) rule_id: xccdf_org.ssgproject.content_rule_service_abrtd_disabled justification: ~ - - title: Set SSH Client Alive Max Count - rule_id: xccdf_org.ssgproject.content_rule_sshd_set_keepalive - justification: ~ low: - - title: Limit the Number of Concurrent Login Sessions Allowed Per User - rule_id: xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions - justification: ~ - title: Ensure PAM Displays Last Logon/Access Notification rule_id: xccdf_org.ssgproject.content_rule_display_login_attempts justification: ~ - - title: Uninstall openldap-servers Package - rule_id: xccdf_org.ssgproject.content_rule_package_openldap-servers_removed - justification: ~ - title: Disable Red Hat Network Service (rhnsd) rule_id: xccdf_org.ssgproject.content_rule_service_rhnsd_disabled justification: ~ @@ -166,18 +42,3 @@ catalog: - title: Ensure the Default Bash Umask is Set Correctly rule_id: xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc justification: ~ - - title: Ensure the Default C Shell Umask is Set Correctly - rule_id: xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc - justification: ~ - - title: Ensure the Default Umask is Set Correctly in /etc/profile - rule_id: xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile - justification: ~ - - title: Set Daemon Umask - rule_id: xccdf_org.ssgproject.content_rule_umask_for_daemons - justification: ~ - - title: Require Client SMB Packet Signing, if using mount.cifs - rule_id: xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing - justification: ~ - - title: Disable DHCP Client in ifcfg - rule_id: xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg - justification: ~ diff --git a/tailoring/tailoring.xml b/tailoring/tailoring.xml new file mode 100644 index 0000000..45f9882 --- /dev/null +++ b/tailoring/tailoring.xml @@ -0,0 +1,20 @@ + + + + 1 + + DISA STIG for Red Hat Enterprise Linux + This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux system. Regardless of your system's workload all of these checks should pass. + + + + + + + + + + + + + diff --git a/templates/tailoring/tailoring.xml.j2 b/templates/tailoring/tailoring.xml.j2 index 2ad7985..f85a39d 100644 --- a/templates/tailoring/tailoring.xml.j2 +++ b/templates/tailoring/tailoring.xml.j2 @@ -1,14 +1,14 @@ - + 1 DISA STIG for Red Hat Enterprise Linux This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux system. Regardless of your system's workload all of these checks should pass. - {%- for item in justify.catalog %} - {% for rule in item %} + {%- for key, item in justify.catalog.items() %} + {%- for rule in item %} - {% endfor %} - {% endfor %} + {%- endfor %} + {%- endfor %}