Sys Maintenance: DISA STIG

Enables all STIG controls. For example:

manage_stig_controls --enable-all-controls

manage_stig_controls --enable-default-controls

no

no

yes

Apply STIG configuration to all hosts. For example:

manage_stig_controls --host-all

Apply STIG configuration for the host identified by the value shown under Hostname in the ADMIN > Hosts > Edit dialog in the NetWitness Platform Interface. This value can be an ip-addres (default) or a user-specified name. For example:

manage_stig_controls --host-addr <hostname>

no

no

yes

At a minimum, configure AIDE to run a weekly scan and at most, daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to the /etc/crontab file:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to the /etc/crontab file:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.

Install the AIDE package with the following command: $ sudo yum install aid

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS 140-2 validated ciphers:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

The following ciphers are FIPS 140-2 certified on RHEL 7:

- aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se

Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for RHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.

The root user should never be allowed to login to a system directly over a network.

Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem.

Make sure that virus definition files are no older than 7 days or their last release.

For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards https://access.redhat.com/solutions/82273

To ensure FIPS mode is enabled, install the dracut-fips package and rebuild initramfs by running the following commands:

$ sudo yum install dracut-fips dracut -f

After the dracut command has been run, add the fips=1 argument to the default GRUB 2 command line for the Linux operating system in the /etc/default/grub file as shown in the following example:

GRUB_CMDLINE_LINUX='crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1'

Finally, rebuild the grub.cfg file by using the grub2-mkconfig -o command as follows ( On BIOS-based machines, issue the following command as root):

~]# grub2-mkconfig -o /boot/grub2/grub.cfg

On UEFI-based machines, issue the following command as root:

~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in the /etc/crontab file, append the following line to the existing AIDE line:
| /bin/mail -s '$(hostname) - AIDE Integrity Check' root@localhost
Otherwise, add the following line to the /etc/crontab file:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s '$(hostname) - AIDE Integrity Check' root@localhost
AIDE can be executed periodically through other means. This is just one example.

By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in the /etc/aide.conf file:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in the /etc/aide.conf file:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways. This is just one example that is already configured by default.

By default, the sha512 option is added to the ORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in the /etc/aide.conf file:ORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default.

Configure the operating system to implement multifactor authentication by installing the required packages with the following command:
$ sudo yum install esc pam_pkcs11 authconfig-gtk

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Verify that the GNOME Login Inactivity Timeout is set on the host (The graphical desktop environment must set the idle timeout to no more than 15 minutes.).

To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth by adding the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
Add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.s

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
kernel.randomize_va_space = 2

Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system with hashes that differ from what is expected by the RPM database:
$ rpm -Va | grep '^..5' A 'c'
in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf
The package can be reinstalled from a yum repository using the command:
FILENAME $ sudo yum reinstall
Alternatively, the package can be reinstalled from trusted media using the command:
PACKAGENAME $ sudo rpm -Uvh PACKAGENAME

Verify that the host records events that modify the system's discretionary access controls - chown.

To configure the system login banner edit the /etc/issue file. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:
" You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

• The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
• At any time, the USG may inspect and seize data stored on this IS.
• Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
• This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

or

" I've read & consent to terms in IS user agreem't."

To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in the /etc/firewalld/firewalld.conf file to be:
DefaultZone=drop

The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service

Edit /etc/snmp/snmpd.conf file by removing or changing the default community strings of public and private. After the default community strings have been changed, restart the SNMP service:
$ sudo service snmpd restart

Explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in the /etc/ssh/sshd_config file.

To set the runtime status of the t.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.all.send_redirects = 0

To set the runtime status of the t.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.ip_forward = 0

To set the runtime status of the t.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.all.accept_redirects = 0

To set the runtime status of the t.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv4.conf.default.accept_redirects = 0

When enabled, SSH will display the date and time of the last successful account log in. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
PrintLastLog yes

Enable Encrypted X11 Forwarding - By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled. To enable X11 Forwarding, add or correct the following line in the /etc/ssh/sshd_config file:
X11Forwarding yes

Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. Check that yum verifies the repository metadata prior to install with the following command. This should be configured by setting repo_gpgcheck to 1 in /etc/yum.conf.

The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches and meeting and maintaining government certifications and standards.

SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf file. For example: [sssd] services = sudo, autofs, pam

Multiple Domain Name System (DNS) Servers should be configured in the /etc/resolv.conf file. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver entry in ip_address /etc/resolv.conf file for each DNS server where ip_address is the IP address of a valid DNS server. For example:
search example.com nameserver 192.168.0.1 nameserver 192.168.0.2

Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command:
$ sudo firewall-cmd --permanent --add-port= or port_number/tcp $ sudo firewall-cmd --permanent --add-port=

Run the command list above for each of the ports listed below: <ports>
To configure service_nam firewalld to allow access, run the following command(s):
firewall-cmd --permanent --add-service=ssh

Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the ldap_tls_cacertdir option in /etc/sssd/sssd.conf to point to the path for the X.509 certificates used for peer authentication.
ldap_tls_cacertdir /path/to/tls/cacert

The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with rpm -Va | grep '^.....\(U\|.G\)'
Run the following command to determine which package owns it:
$ rpm -qf

Next, run the following command to reset its permissions to the correct values:
FILENAME $ sudo rpm --setugids PACKAGENAME

This check verifies that RHEL7 implements cryptography to protect the integrity of remote LDAP authentication sessions. To determine if LDAP is being used for authentication, use the following command:
$ sudo grep -i useldapauth /etc/sysconfig/authconfig If USELDAPAUTH=yes

To check if LDAP is configured to use TLS, use the following command:
$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf

To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to a file in the /etc/modprobe.d directory :
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account name and password and and modify the /etc/grub.d/01_users configuration file with the new account name. Because plain text passwords are a security risk, generate a hash for the password by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.
NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root').
$ sed -i s/root/bootuser/g /etc/grub.d/01_users
To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.

To set the runtime status of the t.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
If this is not the system default value, add the following line to the /etc/sysctl.conf file:
t.ipv6.conf.all.accept_source_route = 0

At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with .rules in /etc/audit/rules.d: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=429496729as a suffix 5 -F key=privileged-priv_change. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_chang

To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=
The place where you add the line depends on the way ARCH -S create_module -F key=modules auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with the .rules suffix in the /etc/audit/rules.d directory. If the auditd daemon is configured to use the auditctl utility, add the line to the /etc/audit/audit.rulesfile .