STIG rules for RHEL7
This section details the STIG rules for Red Hat Enterprise Linux (RHEL) 7 that have been investigated for BMC Discovery. The STIG rules fall into four categories:
- STIG rules that BMC Discovery is compliant with, by default.
- STIG rules that are have been addressed, but have restrictions.
- STIG rules that are addressed using a script.
- STIG rules that are not applicable to BMC Discovery.
Addressed with restrictions
This category is for STIG rules that are addressed, but in some cases fall outside the precise scope of the rule. For example, some rules apply to the partitioning of a file system. Kickstarted BMC Discovery appliances might meet a rule, whereas upgraded appliances may not.
Addressed using a script
This section lists the STIG rules for Red Hat Enterprise Linux (RHEL) 7, which have been addressed in BMC Discovery using the tw_stig_control
script. The tw_stig_control
script runs other scripts, which enable STIG compliance for different functional areas of BMC Discovery. You must enable the following rules to achieve compliance. To enable compliance for all of the rules described in the following tables, run the tw_stig_control
script as the root user.
Th following scripts are executed by the tw_stig_control
script:
tw_stig_auditing
— the auditing functionality of BMC Discovery.tw_stig_local_env
— the local environment of BMC Discovery.tw_stig_remote_mgmt
— the remote management functionality of BMC Discovery.
Possible lock out
One of the changes made to comply with the STIG is to expire OS user passwords every 60 days. After a password has expired, there is a grace period of 35 days during which a user will be allowed to change their password on the first login attempt. After 35 days the user will be completely locked out (this also applies to the root user). Consequently, you should check that the root
, tideway
and netadmin
user passwords have been changed within the last 95 days before applying the STIG scripts described here, or you may be locked out from these accounts (and effectively from the VM itself unless you follow the boot recovery process). The password restrictions are applied by the tw_stig_local_env
script.
No automatic reversion
There is no automatic facility to revert the changes applied by these scripts.
Auditing creates significant additional logging
The tw_stig_auditing
script enables auditing on the system. Work has been done in the release to limit the number of privileged commands BMC Discovery needs to run during discovery but you will need management processes in place to ensure that there is sufficient space for additional logging in the /var/log
and /var/log/audit
directories or partitions.
You can choose to run the scripts individually but if you choose not to run a script then the appliance will not comply with all of the STIG rules in that functional area.
Not applicable to BMC Discovery
This category of STIG rules for RHEL7 are not applicable to BMC Discovery. The table describes the rules and, where required, provides a brief explanation for non-applicability, and if appropriate, gives details of workarounds.
STIG rules for RHEL7
Group ID | Rule Version | Rule Title | Status | Detail | Script |
---|---|---|---|---|---|
V-71849 | RHEL-07-010010 | The file permissions, ownership, and group membership of system files and commands must match the vendor values. | Addressed with Restrictions | Some permissions and ownerships have been updated when required for Discovery functionality or hardening. | |
V-71855 | RHEL-07-010020 | The cryptographic hash of system files and commands must match vendor values. | Addressed with Restrictions | Some permissions and ownerships have been updated when required for Discovery functionality or hardening. | |
V-71859 | RHEL-07-010030 | The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. | Not Applicable | ||
V-71861 | RHEL-07-010040 | The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. | Not Applicable | ||
V-71863 | RHEL-07-010050 | The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Not Applicable | ||
V-71891 | RHEL-07-010060 | The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. | Not Applicable | ||
V-71893 | RHEL-07-010070 | The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. | Not Applicable | ||
V-71897 | RHEL-07-010090 | The operating system must have the screen package installed. | Default | ||
V-71899 | RHEL-07-010100 | The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces. | Not Applicable | ||
V-71901 | RHEL-07-010110 | The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated. | Not Applicable | ||
V-71903 | RHEL-07-010120 | When passwords are changed or new passwords are established, the new password must contain at least one upper-case character. | Default | ||
V-71905 | RHEL-07-010130 | When passwords are changed or new passwords are established, the new password must contain at least one lower-case character. | Default | ||
V-71907 | RHEL-07-010140 | When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character. | Default | ||
V-71909 | RHEL-07-010150 | When passwords are changed or new passwords are assigned, the new password must contain at least one special character. | Default | ||
V-71911 | RHEL-07-010160 | When passwords are changed a minimum of eight of the total number of characters must be changed. | Default | ||
V-71913 | RHEL-07-010170 | When passwords are changed a minimum of four character classes must be changed. | Default | ||
V-71915 | RHEL-07-010180 | When passwords are changed the number of repeating consecutive characters must not be more than three characters. | Default | ||
V-71917 | RHEL-07-010190 | When passwords are changed the number of repeating characters of the same character class must not be more than four characters. | Compliance Script | tw_stig_local_env | |
V-71919 | RHEL-07-010200 | The PAM system service must be configured to store only encrypted representations of passwords. | Default | ||
V-71921 | RHEL-07-010210 | The shadow file must be configured to store only encrypted representations of passwords. | Default | ||
V-71923 | RHEL-07-010220 | User and group account administration utilities must be configured to store only encrypted representations of passwords. | Default | ||
V-71925 | RHEL-07-010230 | Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime. | Compliance Script | tw_stig_local_env | |
V-71927 | RHEL-07-010240 | Passwords must be restricted to a 24 hours/1 day minimum lifetime. | Compliance Script | tw_stig_local_env | |
V-71929 | RHEL-07-010250 | Passwords for new users must be restricted to a 60-day maximum lifetime. | Compliance Script | tw_stig_local_env | |
V-71931 | RHEL-07-010260 | Existing passwords must be restricted to a 60-day maximum lifetime. | Compliance Script | tw_stig_local_env | |
V-71933 | RHEL-07-010270 | Passwords must be prohibited from reuse for a minimum of five generations. | Compliance Script | tw_stig_local_env | |
V-71935 | RHEL-07-010280 | Passwords must be a minimum of 15 characters in length. | Compliance Script | tw_stig_local_env | |
V-71937 | RHEL-07-010290 | The system must not have accounts configured with blank or null passwords. | Default | ||
V-71939 | RHEL-07-010300 | The SSH daemon must not allow authentication using an empty password. | Default | ||
V-71941 | RHEL-07-010310 | The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires. | Compliance Script | tw_stig_local_env | |
V-71943 | RHEL-07-010320 | Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period. | Compliance Script | tw_stig_local_env | |
V-71945 | RHEL-07-010330 | If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked. | Compliance Script | tw_stig_local_env | |
V-71947 | RHEL-07-010340 | Users must provide a password for privilege escalation. | Addressed with Restrictions | The tideway user requires passwordless escalation for various tasks. | |
V-71949 | RHEL-07-010350 | Users must re-authenticate for privilege escalation. | Addressed with Restrictions | The tideway user requires escalation for various tasks. | |
V-71951 | RHEL-07-010430 | The delay between logon prompts following a failed console logon attempt must be at least four seconds. | Compliance Script | tw_stig_local_env | |
V-71953 | RHEL-07-010440 | The operating system must not allow an unattended or automatic logon to the system via a graphical user interface. | Not Applicable | ||
V-71955 | RHEL-07-010450 | The operating system must not allow an unrestricted logon to the system. | Not Applicable | ||
V-71957 | RHEL-07-010460 | The operating system must not allow users to override SSH environment variables. | Compliance Script | tw_stig_remote_mgmt | |
V-71959 | RHEL-07-010470 | The operating system must not allow a non-certificate trusted host SSH logon to the system. | Compliance Script | tw_stig_remote_mgmt | |
V-71961 | RHEL-07-010480 | Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. | Default | ||
V-71963 | RHEL-07-010490 | Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. | Not Applicable | ||
V-71965 | RHEL-07-010500 | The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. | Not applicable | ||
V-71967 | RHEL-07-020000 | The rsh-server package must not be installed. | Default | ||
V-71969 | RHEL-07-020010 | The ypserv package must not be installed. | Default | ||
V-71971 | RHEL-07-020020 | The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Not Applicable | ||
V-71973 | RHEL-07-020030 | A file integrity tool must verify the baseline operating system configuration at least weekly. | Addressed with Restrictions | The Discovery appliance uses Open Source Tripwire which can be commissioned as part of the baseline process. | |
V-71975 | RHEL-07-020040 | Designated personnel must be notified if baseline configurations are changed in an unauthorized manner. | Addressed with Restrictions | Administrators can be emailed if baseline checks fail. | |
V-71977 | RHEL-07-020050 | The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Not Applicable | ||
V-71979 | RHEL-07-020060 | The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | Not Applicable | ||
V-71981 | RHEL-07-020070 | The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata. | Not Applicable | Discovery is a self-contained appliance and is not connected to any repositories. | |
V-71983 | RHEL-07-020100 | USB mass storage must be disabled. | Default | ||
V-71985 | RHEL-07-020110 | File system automounter must be disabled unless required. | Default | ||
V-71987 | RHEL-07-020200 | The operating system must remove all software components after updated versions have been installed. | Not Applicable | ||
V-71989 | RHEL-07-020210 | The operating system must enable SELinux. | Not Applicable | Discovery is delivered as an appliance and does not enable SELinux. | |
V-71991 | RHEL-07-020220 | The operating system must enable the SELinux targeted policy. | Not Applicable | Discovery is delivered as an appliance and does not enable SELinux. | |
V-71993 | RHEL-07-020230 | The x86 Ctrl-Alt-Delete key sequence must be disabled. | Default | ||
V-71995 | RHEL-07-020240 | The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Default | ||
V-71997 | RHEL-07-020250 | The operating system must be a vendor supported release. | Not Applicable | Discovery uses CentOS. | |
V-71999 | RHEL-07-020260 | Vendor packaged system security patches and updates must be installed and up to date. | Default | ||
V-72001 | RHEL-07-020270 | The system must not have unnecessary accounts. | Default | ||
V-72003 | RHEL-07-020300 | All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. | Default | ||
V-72005 | RHEL-07-020310 | The root account must be the only account having unrestricted access to the system. | Default | ||
V-72007 | RHEL-07-020320 | All files and directories must have a valid owner. | Default | ||
V-72009 | RHEL-07-020330 | All files and directories must have a valid group owner. | Default | ||
V-72011 | RHEL-07-020600 | All local interactive users must have a home directory assigned in the /etc/passwd file. | Default | ||
V-72013 | RHEL-07-020610 | All local interactive user accounts, upon creation, must be assigned a home directory. | Default | ||
V-72015 | RHEL-07-020620 | All local interactive user home directories defined in the /etc/passwd file must exist. | Default | ||
V-72017 | RHEL-07-020630 | All local interactive user home directories must have mode 0750 or less permissive. | Not Applicable | Discovery sets permissions as required for functionality. | |
V-72019 | RHEL-07-020640 | All local interactive user home directories must be owned by their respective users. | Not Applicable | Discovery sets ownderships as required for functionality. | |
V-72021 | RHEL-07-020650 | All local interactive user home directories must be group-owned by the home directory owners primary group. | Default | ||
V-72023 | RHEL-07-020660 | All files and directories contained in local interactive user home directories must be owned by the owner of the home directory. | Not Applicable | Discovery sets ownderships as required for functionality. | |
V-72025 | RHEL-07-020670 | All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member. | Not Applicable | Discovery sets ownderships as required for functionality. | |
V-72027 | RHEL-07-020680 | All files and directories contained in local interactive user home directories must have mode 0750 or less permissive. | Not Applicable | Discovery sets permissions as required for functionality. | |
V-72029 | RHEL-07-020690 | All local initialization files for interactive users must be owned by the home directory user or root. | Default | ||
V-72031 | RHEL-07-020700 | Local initialization files for local interactive users must be group-owned by the users primary group or root. | Default | ||
V-72033 | RHEL-07-020710 | All local initialization files must have mode 0740 or less permissive. | Default | ||
V-72035 | RHEL-07-020720 | All local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory. | Not Applicable | The Discovery appliance is configured as required for functionality. | |
V-72037 | RHEL-07-020730 | Local initialization files must not execute world-writable programs. | Default | ||
V-72039 | RHEL-07-020900 | All system device files must be correctly labeled to prevent unauthorized modification. | Default | ||
V-72041 | RHEL-07-021000 | File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. | Default | ||
V-72043 | RHEL-07-021010 | File systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. | Not Applicable | ||
V-72045 | RHEL-07-021020 | File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. | Default | ||
V-72047 | RHEL-07-021030 | All world-writable directories must be group-owned by root, sys, bin, or an application group. | Default | ||
V-72049 | RHEL-07-021040 | The umask must be set to 077 for all local interactive user accounts. | Not Applicable | Discovery sets permissions as required for functionality. | |
V-72051 | RHEL-07-021100 | Cron logging must be implemented. | Default | ||
V-72053 | RHEL-07-021110 | If the cron.allow file exists it must be owned by root. | Default | ||
V-72055 | RHEL-07-021120 | If the cron.allow file exists it must be group-owned by root. | Default | ||
V-72057 | RHEL-07-021300 | Kernel core dumps must be disabled unless needed. | Not Applicable | Kernel core dumps may be required to support the appliance. | |
V-72059 | RHEL-07-021310 | A separate file system must be used for user home directories (such as /home or an equivalent). | Not Applicable | Discovery user home directories are created as required for functionality. | |
V-72061 | RHEL-07-021320 | The system must use a separate file system for /var. | Default | ||
V-72063 | RHEL-07-021330 | The system must use a separate file system for the system audit data path. | Default | ||
V-72065 | RHEL-07-021340 | The system must use a separate file system for /tmp (or equivalent). | Default | /tmp is a tmpfs filesystem. | |
V-72067 | RHEL-07-021350 | The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Documentation | ||
V-72069 | RHEL-07-021600 | The file integrity tool must be configured to verify Access Control Lists (ACLs). | Default | The Discovery appliance uses Open Source Tripwire which can be commissioned as part of the baseline process. | |
V-72071 | RHEL-07-021610 | The file integrity tool must be configured to verify extended attributes. | Default | The Discovery appliance uses Open Source Tripwire which can be commissioned as part of the baseline process. | |
V-72073 | RHEL-07-021620 | The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. | Default | The Discovery appliance provides FIPS mode if required. | |
V-72075 | RHEL-07-021700 | The system must not allow removable media to be used as the boot loader unless approved. | Default | ||
V-72077 | RHEL-07-021710 | The telnet-server package must not be installed. | Default | ||
V-72079 | RHEL-07-030000 | Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. | Compliance Script | tw_stig_auditing | |
V-72081 | RHEL-07-030010 | The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator SA and Information System Security Officer ISSO at a minimum) in the event of an audit processing failure. | Compliance Script | Compliant when an onsite configuration is made after running the compliance script. | tw_stig_auditing |
V-72083 | RHEL-07-030300 | The operating system must off-load audit records onto a different system or media from the system being audited. | Compliance Script | Compliant when an onsite configuration is made after running the compliance script. | tw_stig_auditing |
V-72085 | RHEL-07-030310 | The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. | Compliance Script | Compliant when an onsite configuration is made after running the compliance script. | tw_stig_auditing |
V-72087 | RHEL-07-030320 | The audit system must take appropriate action when the audit storage volume is full. | Compliance Script | Compliant when an onsite configuration is made after running the compliance script. | tw_stig_auditing |
V-72089 | RHEL-07-030330 | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. | Compliance Script | Compliant when an onsite configuration is made after running the compliance script. | tw_stig_auditing |
V-72091 | RHEL-07-030340 | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. | Compliance Script | Compliant when an onsite configuration is made after running the compliance script. | tw_stig_auditing |
V-72093 | RHEL-07-030350 | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. | Compliance Script | Compliant when an onsite configuration is made after running the compliance script. | tw_stig_auditing |
V-72095 | RHEL-07-030360 | All privileged function executions must be audited. | Compliance Script | tw_stig_auditing | |
V-72097 | RHEL-07-030370 | All uses of the chown command must be audited. | Compliance Script | tw_stig_auditing | |
V-72099 | RHEL-07-030380 | All uses of the fchown command must be audited. | Compliance Script | tw_stig_auditing | |
V-72101 | RHEL-07-030390 | All uses of the lchown command must be audited. | Compliance Script | tw_stig_auditing | |
V-72103 | RHEL-07-030400 | All uses of the fchownat command must be audited. | Compliance Script | tw_stig_auditing | |
V-72105 | RHEL-07-030410 | All uses of the chmod command must be audited. | Compliance Script | tw_stig_auditing | |
V-72107 | RHEL-07-030420 | All uses of the fchmod command must be audited. | Compliance Script | tw_stig_auditing | |
V-72109 | RHEL-07-030430 | All uses of the fchmodat command must be audited. | Compliance Script | tw_stig_auditing | |
V-72111 | RHEL-07-030440 | All uses of the setxattr command must be audited. | Compliance Script | tw_stig_auditing | |
V-72113 | RHEL-07-030450 | All uses of the fsetxattr command must be audited. | Compliance Script | tw_stig_auditing | |
V-72115 | RHEL-07-030460 | All uses of the lsetxattr command must be audited. | Compliance Script | tw_stig_auditing | |
V-72117 | RHEL-07-030470 | All uses of the removexattr command must be audited. | Compliance Script | tw_stig_auditing | |
V-72119 | RHEL-07-030480 | All uses of the fremovexattr command must be audited. | Compliance Script | tw_stig_auditing | |
V-72121 | RHEL-07-030490 | All uses of the lremovexattr command must be audited. | Compliance Script | tw_stig_auditing | |
V-72123 | RHEL-07-030500 | All uses of the creat command must be audited. | Compliance Script | tw_stig_auditing | |
V-72125 | RHEL-07-030510 | All uses of the open command must be audited. | Compliance Script | tw_stig_auditing | |
V-72127 | RHEL-07-030520 | All uses of the openat command must be audited. | Compliance Script | tw_stig_auditing | |
V-72129 | RHEL-07-030530 | All uses of the open_by_handle_at command must be audited. | Compliance Script | tw_stig_auditing | |
V-72131 | RHEL-07-030540 | All uses of the truncate command must be audited. | Compliance Script | tw_stig_auditing | |
V-72133 | RHEL-07-030550 | All uses of the ftruncate command must be audited. | Compliance Script | tw_stig_auditing | |
V-72135 | RHEL-07-030560 | All uses of the semanage command must be audited. | Compliance Script | tw_stig_auditing | |
V-72137 | RHEL-07-030570 | All uses of the setsebool command must be audited. | Compliance Script | tw_stig_auditing | |
V-72139 | RHEL-07-030580 | All uses of the chcon command must be audited. | Compliance Script | tw_stig_auditing | |
V-72141 | RHEL-07-030590 | All uses of the setfiles command must be audited. | Compliance Script | tw_stig_auditing | |
V-72143 | RHEL-07-030600 | The operating system must generate audit records for all successful/unsuccessful account access count events. | Compliance Script | tw_stig_auditing | |
V-72145 | RHEL-07-030610 | The operating system must generate audit records for all unsuccessful account access events. | Compliance Script | tw_stig_auditing | |
V-72147 | RHEL-07-030620 | The operating system must generate audit records for all successful account access events. | Compliance Script | tw_stig_auditing | |
V-72149 | RHEL-07-030630 | All uses of the passwd command must be audited. | Compliance Script | tw_stig_auditing | |
V-72151 | RHEL-07-030640 | All uses of the unix_chkpwd command must be audited. | Compliance Script | tw_stig_auditing | |
V-72153 | RHEL-07-030650 | All uses of the gpasswd command must be audited. | Compliance Script | tw_stig_auditing | |
V-72155 | RHEL-07-030660 | All uses of the chage command must be audited. | Compliance Script | tw_stig_auditing | |
V-72157 | RHEL-07-030670 | All uses of the userhelper command must be audited. | Compliance Script | tw_stig_auditing | |
V-72159 | RHEL-07-030680 | All uses of the su command must be audited. | Compliance Script | tw_stig_auditing | |
V-72161 | RHEL-07-030690 | All uses of the sudo command must be audited. | Compliance Script | tw_stig_auditing | |
V-72163 | RHEL-07-030700 | All uses of the sudoers command must be audited. | Compliance Script | tw_stig_auditing | |
V-72165 | RHEL-07-030710 | All uses of the newgrp command must be audited. | Compliance Script | tw_stig_auditing | |
V-72167 | RHEL-07-030720 | All uses of the chsh command must be audited. | Compliance Script | tw_stig_auditing | |
V-72169 | RHEL-07-030730 | All uses of the sudoedit command must be audited. | Compliance Script | tw_stig_auditing | |
V-72171 | RHEL-07-030740 | All uses of the mount command must be audited. | Compliance Script | tw_stig_auditing | |
V-72173 | RHEL-07-030750 | All uses of the umount command must be audited. | Compliance Script | tw_stig_auditing | |
V-72175 | RHEL-07-030760 | All uses of the postdrop command must be audited. | Compliance Script | tw_stig_auditing | |
V-72177 | RHEL-07-030770 | All uses of the postqueue command must be audited. | Compliance Script | tw_stig_auditing | |
V-72179 | RHEL-07-030780 | All uses of the ssh-keysign command must be audited. | Compliance Script | tw_stig_auditing | |
V-72183 | RHEL-07-030800 | All uses of the crontab command must be audited. | Compliance Script | tw_stig_auditing | |
V-72185 | RHEL-07-030810 | All uses of the pam_timestamp_check command must be audited. | Compliance Script | tw_stig_auditing | |
V-72187 | RHEL-07-030820 | All uses of the init_module command must be audited. | Compliance Script | tw_stig_auditing | |
V-72189 | RHEL-07-030830 | All uses of the delete_module command must be audited. | Compliance Script | tw_stig_auditing | |
V-72191 | RHEL-07-030840 | All uses of the insmod command must be audited. | Compliance Script | tw_stig_auditing | |
V-72193 | RHEL-07-030850 | All uses of the rmmod command must be audited. | Compliance Script | tw_stig_auditing | |
V-72195 | RHEL-07-030860 | All uses of the modprobe command must be audited. | Compliance Script | tw_stig_auditing | |
V-72197 | RHEL-07-030870 | The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | Compliance Script | tw_stig_auditing | |
V-72199 | RHEL-07-030880 | All uses of the rename command must be audited. | Compliance Script | tw_stig_auditing | |
V-72201 | RHEL-07-030890 | All uses of the renameat command must be audited. | Compliance Script | tw_stig_auditing | |
V-72203 | RHEL-07-030900 | All uses of the rmdir command must be audited. | Compliance Script | tw_stig_auditing | |
V-72205 | RHEL-07-030910 | All uses of the unlink command must be audited. | Compliance Script | tw_stig_auditing | |
V-72207 | RHEL-07-030920 | All uses of the unlinkat command must be audited. | Compliance Script | tw_stig_auditing | |
V-72209 | RHEL-07-031000 | The system must send rsyslog output to a log aggregation server. | Default | Compliant when an onsite configuration is made. | |
V-72211 | RHEL-07-031010 | The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation. | Default | ||
V-72213 | RHEL-07-032000 | The system must use a virus scan program. | Not Applicable | Documentation | |
V-72215 | RHEL-07-032010 | The system must update the virus scan program every seven days or more frequently. | Not Applicable | Documentation | |
V-72217 | RHEL-07-040000 | The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. | Compliance Script | tw_stig_remote_mgmt | |
V-72219 | RHEL-07-040100 | The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments. | Default | ||
V-72221 | RHEL-07-040110 | A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications. | Default | The Discovery appliance uses FIPS 140-2 compliant algorithms and provides FIPS mode for strict adherence. | |
V-72223 | RHEL-07-040160 | All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. | Compliance Script | tw_stig_remote_mgmt | |
V-72225 | RHEL-07-040170 | The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts. | Not Applicable | ||
V-72227 | RHEL-07-040180 | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications. | Not Applicable | ||
V-72229 | RHEL-07-040190 | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. | Not Applicable | ||
V-72231 | RHEL-07-040200 | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. | Not Applicable | ||
V-72233 | RHEL-07-040300 | All networked systems must have SSH installed. | Default | ||
V-72235 | RHEL-07-040310 | All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission. | Default | ||
V-72237 | RHEL-07-040320 | All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. | Compliance Script | tw_stig_remote_mgmt | |
V-72239 | RHEL-07-040330 | The SSH daemon must not allow authentication using RSA rhosts authentication. | Default | ||
V-72241 | RHEL-07-040340 | All network connections associated with SSH traffic must terminate after a period of inactivity. | Default | ||
V-72243 | RHEL-07-040350 | The SSH daemon must not allow authentication using rhosts authentication. | Compliance Script | tw_stig_remote_mgmt | |
V-72245 | RHEL-07-040360 | The system must display the date and time of the last successful account logon upon an SSH logon. | Default | ||
V-72247 | RHEL-07-040370 | The system must not permit direct logons to the root account using remote access via SSH. | Default | ||
V-72249 | RHEL-07-040380 | The SSH daemon must not allow authentication using known hosts authentication. | Compliance Script | tw_stig_remote_mgmt | |
V-72251 | RHEL-07-040390 | The SSH daemon must be configured to only use the SSHv2 protocol. | Default | ||
V-72253 | RHEL-07-040400 | The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. | Default | ||
V-72255 | RHEL-07-040410 | The SSH public host key files must have mode 0644 or less permissive. | Default | ||
V-72257 | RHEL-07-040420 | The SSH private host key files must have mode 0600 or less permissive. | Default | ||
V-72259 | RHEL-07-040430 | The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed. | Default | ||
V-72261 | RHEL-07-040440 | The SSH daemon must not permit Kerberos authentication unless needed. | Default | ||
V-72263 | RHEL-07-040450 | The SSH daemon must perform strict mode checking of home directory configuration files. | Default | ||
V-72265 | RHEL-07-040460 | The SSH daemon must use privilege separation. | Default | ||
V-72267 | RHEL-07-040470 | The SSH daemon must not allow compression or must only allow compression after successful authentication. | Compliance Script | tw_stig_remote_mgmt | |
V-72269 | RHEL-07-040500 | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). | Not Applicable | Discovery provides NTP configuration. | |
V-72271 | RHEL-07-040510 | The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces. | Not Applicable | The Discovery appliance firewall is configured as required for functionality. | |
V-72273 | RHEL-07-040520 | The operating system must enable an application firewall, if available. | Default | ||
V-72275 | RHEL-07-040530 | The system must display the date and time of the last successful account logon upon logon. | Default | ||
V-72277 | RHEL-07-040540 | There must be no .shosts files on the system. | Default | ||
V-72279 | RHEL-07-040550 | There must be no shosts.equiv files on the system. | Default | ||
V-72281 | RHEL-07-040600 | For systems using DNS resolution, at least two name servers must be configured. | Not Applicable | This is an onsite configuration. | |
V-72283 | RHEL-07-040610 | The system must not forward Internet Protocol version 4 (IPv4) source-routed packets. | Default | ||
V-72285 | RHEL-07-040620 | The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. | Default | ||
V-72287 | RHEL-07-040630 | The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Default | ||
V-72289 | RHEL-07-040640 | The system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Default | ||
V-72291 | RHEL-07-040650 | The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. | Default | ||
V-72293 | RHEL-07-040660 | The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. | Default | ||
V-72295 | RHEL-07-040670 | Network interfaces must not be in promiscuous mode. | Default | ||
V-72297 | RHEL-07-040680 | The system must be configured to prevent unrestricted mail relaying. | Not Applicable | The Discovery appliance firewall prevents all mail communication, no smtpd service running. | |
V-72299 | RHEL-07-040690 | A File Transfer Protocol (FTP) server package must not be installed unless needed. | Default | ||
V-72301 | RHEL-07-040700 | The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support. | Default | ||
V-72303 | RHEL-07-040710 | Remote X connections for interactive users must be encrypted. | Not Applicable. | ||
V-72305 | RHEL-07-040720 | If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode. | Not Applicable | ||
V-72307 | RHEL-07-040730 | An X Windows display manager must not be installed unless approved. | Default | ||
V-72309 | RHEL-07-040740 | The system must not be performing packet forwarding unless the system is a router. | Default | ||
V-72311 | RHEL-07-040750 | The Network File System (NFS) must be configured to use RPCSEC_GSS. | Not Applicable | ||
V-72313 | RHEL-07-040800 | SNMP community strings must be changed from the default. | Compliance Script | tw_stig_remote_mgmt | |
V-72315 | RHEL-07-040810 | The system access control program must be configured to grant or deny system access to specific hosts and services. | Default | ||
V-72317 | RHEL-07-040820 | The system must not have unauthorized IP tunnels configured. | Not Applicable | ||
V-72319 | RHEL-07-040830 | The system must not forward IPv6 source-routed packets. | Default | ||
V-72417 | RHEL-07-041001 | The operating system must have the required packages for multifactor authentication installed. | Not Applicable | ||
V-72427 | RHEL-07-041002 | The operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). | Not Applicable | ||
V-72433 | RHEL-07-041003 | The operating system must implement certificate status checking for PKI authentication. | Not Applicable | ||
V-73155 | RHEL-07-010081 | The operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface. | Not Applicable | ||
V-73157 | RHEL-07-010082 | The operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface. | Not Applicable | ||
V-73159 | RHEL-07-010119 | When passwords are changed or new passwords are established, pwquality must be used. | Default | ||
V-73161 | RHEL-07-021021 | File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. | Default | ||
V-73163 | RHEL-07-030321 | The audit system must take appropriate action when there is an error sending audit records to a remote system. | Compliance Script | Compliant when an onsite configuration is made after running the compliance script. | tw_stig_auditing |
V-73165 | RHEL-07-030871 | The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | Compliance Script | tw_stig_auditing | |
V-73167 | RHEL-07-030872 | The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | Compliance Script | tw_stig_auditing | |
V-73171 | RHEL-07-030873 | The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | Compliance Script | tw_stig_auditing | |
V-73173 | RHEL-07-030874 | The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. | Compliance Script | tw_stig_auditing | |
V-73175 | RHEL-07-040641 | The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. | Default | ||
V-73177 | RHEL-07-041010 | Wireless network adapters must be disabled. | Not Applicable | ||
V-77819 | RHEL-07-010061 | The operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon. | Not Applicable | ||
V-77821 | RHEL-07-020101 | The Datagram Congestion Control Protocol (DCCP) kernel module must be disabled unless required. | Default | ||
V-77823 | RHEL-07-010481 | The operating system must require authentication upon booting into single-user and maintenance modes. | Default | ||
V-77825 | RHEL-07-040201 | The operating system must implement virtual address space randomization. | Compliance Script | tw_stig_local_env | |
V-78995 | RHEL-07-010062 | The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. | Not Applicable | ||
V-78997 | RHEL-07-010101 | The operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. | Not Applicable | ||
V-78999 | RHEL-07-030819 | All uses of the create_module command must be audited. | Compliance Script | tw_stig_auditing |
Comments
Log in or register to comment.