STIG rules for RHEL6 met using compliance script

This section lists the STIG rules for Red Hat Enterprise Linux (RHEL) 6, which have been addressed in BMC Discovery. The tw_stig_control script, in turn runs the following scripts, which enable STIG compliance for different functional areas of BMC Discovery. You must enable the following rules to achieve compliance. To enable compliance for all of the rules described in the following tables, run the tw_stig_control script as the root user.

Th following scripts are executed by the tw_stig_control script:

tw_stig_auditing — the auditing functionality of BMC Discovery.
tw_stig_local_env — the local environment of BMC Discovery.
tw_stig_remote_mgmt — the remote management functionality of BMC Discovery.

Possible lock out

One of the changes made to comply with the STIG is to expire OS user passwords every 60 days. After a password has expired, there is a grace period of 35 days during which a user will be allowed to change their password on the first login attempt. After 35 days the user will be completely locked out (this also applies to the root user). Consequently, you should check that the root, tideway and netadmin user passwords have been changed within the last 95 days before applying the STIG scripts described here, or you may be locked out from these accounts (and effectively from the VM itself). The password restrictions are applied by the tw_stig_local_env script.

No automatic reversion

There is no automatic facility to revert the changes applied by these scripts.

Auditing creates significant additional logging

The tw_stig_auditing script enables auditing on the system. Work has been done in the release to limit the number of privileged commands BMC Discovery needs to run during discovery but you will need management processes in place to ensure that there is sufficient space for additional logging in the /var/log and /var/log/audit directories or partitions.

You can choose to run the scripts individually but if you choose not to run a script then the appliance will not comply with all of the STIG rules in that functional area.

Click here to expand...

[root@appliance01 bin]# sh tw_stig_control

The following scripts will be run that change the configuration
required to satisfy the listed DISA RHEL6 STIG requirements.

./tw_stig_auditing:
RHEL-06-000145, RHEL-06-000148, RHEL-06-000154, RHEL-06-000159
RHEL-06-000160, RHEL-06-000161, RHEL-06-000165, RHEL-06-000167
RHEL-06-000169, RHEL-06-000171, RHEL-06-000173, RHEL-06-000174
RHEL-06-000175, RHEL-06-000176, RHEL-06-000177, RHEL-06-000182
RHEL-06-000183, RHEL-06-000184, RHEL-06-000185, RHEL-06-000186
RHEL-06-000187, RHEL-06-000188, RHEL-06-000189, RHEL-06-000190
RHEL-06-000191, RHEL-06-000192, RHEL-06-000193, RHEL-06-000194
RHEL-06-000195, RHEL-06-000196, RHEL-06-000197, RHEL-06-000198
RHEL-06-000199, RHEL-06-000200, RHEL-06-000201, RHEL-06-000202
RHEL-06-000509, RHEL-06-000525

./tw_stig_local_env:
RHEL-06-000051, RHEL-06-000053, RHEL-06-000056, RHEL-06-000057
RHEL-06-000058, RHEL-06-000059, RHEL-06-000060, RHEL-06-000061
RHEL-06-000069, RHEL-06-000070, RHEL-06-000274, RHEL-06-000299
RHEL-06-000334, RHEL-06-000335, RHEL-06-000356, RHEL-06-000357

./tw_stig_remote_mgmt:
RHEL-06-000230, RHEL-06-000231, RHEL-06-000241, RHEL-06-000319
RHEL-06-000340, RHEL-06-000341

Please note: A reboot is required to complete the configuration
changes.

Are you sure you want to perform the configuration changes (yes/no)?
[root@appliance01 bin]#

STIG rules for auditing

The following table lists the STIG rules for auditing(tw_stig_auditing).

Rule number	Description
RHEL-06-000145 V-38628	Auditing must be implemented.
RHEL-06-000148 V-38631	Auditing must be implemented.
RHEL-06-000154 V-38632	Auditing must be implemented.
RHEL-06-000159 V-38636	The system must retain enough rotated audit logs to cover the required log retention period.
RHEL-06-000160 V-38633	The system must set a maximum audit log file size.
RHEL-06-000161 V-38634	The system must rotate audit log files that reach the maximum file size.
RHEL-06-000167 V-38522	The audit system must be configured to audit all attempts to alter system time through settimeofday.
RHEL-06-000169 V-38525	The audit system must be configured to audit all attempts to alter system time through stime.
RHEL-06-000171 V-38527	The audit system must be configured to audit all attempts to alter system time through clock_settime.
RHEL-06-000173 V-38530	The audit system must be configured to audit all attempts to alter system time through /etc/localtime.
RHEL-06-000174 V-38531	The audit system must be configured to audit account creation and modification.
RHEL-06-000175 V-38534	The audit system must be configured to audit account creation and modification.
RHEL-06-000176 V-38536	The audit system must be configured to audit account creation and modification.
RHEL-06-000177 V-38538	The audit system must be configured to audit account creation and modification.
RHEL-06-000182 V-38540	The audit system must be configured to audit modifications to the systems network configuration.
RHEL-06-000183 V-38541	The audit system must be configured to audit modifications to the system's Mandatory Access Control (MAC) configuration (SELinux).
RHEL-06-000184 V-38543	The audit system must be configured to audit all discretionary access control permission modifications using chmod.
RHEL-06-000185 V-38545	The audit system must be configured to audit all discretionary access control permission modifications using chown.
RHEL-06-000186 V-38547	The audit system must be configured to audit all discretionary access control permission modifications using fchmod.
RHEL-06-000187 V-38550	The audit system must be configured to audit all discretionary access control permission modifications using fchmodat.
RHEL-06-000188 V-38552	The audit system must be configured to audit all discretionary access control permission modifications using fchown.
RHEL-06-000189 V-38554	The audit system must be configured to audit all discretionary access control permission modifications using fchownat.
RHEL-06-000190 V-38556	The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr.
RHEL-06-000191 V-38557	The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr.
RHEL-06-000192 V-38558	The audit system must be configured to audit all discretionary access control permission modifications using lchown.
RHEL-06-000193 V-38559	The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr.
RHEL-06-000194 V-38561	The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr.
RHEL-06-000195 V-38563	The audit system must be configured to audit all discretionary access control permission modifications using removexattr.
RHEL-06-000196 V-38565	The audit system must be configured to audit all discretionary access control permission modifications using setxattr.
RHEL-06-000197 V-38566	The audit system must be configured to audit failed attempts to access files and programs.
RHEL-06-000198 V-38567	The audit system must be configured to audit all use of setuid programs.
RHEL-06-000199 V-38568	The audit system must be configured to audit successful file system mounts.
RHEL-06-000200 V-38575	The audit system must be configured to audit user deletions of files and programs.
RHEL-06-000201 V-38578	The audit system must be configured to audit changes to the /etc/sudoers file.
RHEL-06-000202 V-38580	The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
RHEL-06-000509 V-38471	The system must forward audit records to the syslog service.
RHEL-06-000525 V-38438	Auditing must be enabled at boot by setting a kernel parameter.

STIG rules for local environment

The following table lists the STIG rules for local environment (tw_stig_local_env).

Rule number	Description
RHEL-06-000051 V-38477	Users must not be able to change passwords more than once every 24 hours.
RHEL-06-000053 V-38479	User passwords must be changed at least every 60 days.
RHEL-06-000056 V-38482	The system must require passwords to contain at least one numeric character.
RHEL-06-000057 V-38569	The system must require passwords to contain at least one uppercase alphabetic character.
RHEL-06-000058 V-38570	The system must require passwords to contain at least one special character.
RHEL-06-000059 V-38571	The system must require passwords to contain at least one lowercase alphabetic character.
RHEL-06-000060 V-38572	The system must require at least four characters be changed between the old and new passwords during a password change.
RHEL-06-000061 V-38573	The system must disable accounts after three consecutive unsuccessful login attempts.
RHEL-06-000069 V-38586	The system must require authentication upon booting into single-user and maintenance modes.
RHEL-06-000070 V-38588	The system must not permit interactive boot.
RHEL-06-000274 V-38658	The system must prohibit the reuse of passwords within twenty-four iterations.
RHEL-06-000299 V-38693	The system must require passwords to contain no more than three consecutive repeating characters.
RHEL-06-000334 V-38692	Accounts must be locked upon 35 days of inactivity.
RHEL-06-000335 V-38694	Accounts must be locked upon 35 days of inactivity.
RHEL-06-000356 V-38592	The system must require administrator action to unlock an account locked by excessive failed login attempts.
RHEL-06-000357 V-38501	The system must disable accounts after excessive login failures within a 15-minute interval.
RHEL-06-000372 V-51875	The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.

STIG rules for remote management

The following table lists the STIG rules for remote management (tw_stig_remote_mgmt).

Rule number	Description
RHEL-06-000230 V-38608	The SSH daemon must set a timeout interval on idle sessions.
RHEL-06-000231 V-38610	The SSH daemon must set a timeout count on idle sessions.
RHEL-06-000241 V-38616	The SSH daemon must not permit user environment settings.
RHEL-06-000319 V-38684	The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
RHEL-06-000340 V-38660	The snmpd service must use only SNMP protocol version 3 or newer.
RHEL-06-000341 V-38653	The snmpd service must not use a default password.

STIG rules for RHEL6 met using compliance script

STIG rules for auditing

STIG rules for local environment

STIG rules for remote management

On this page