Findings Summary-Table¶
Finding Summary
Finding Identifiers
SV-86845
RHEL-07-040110
SV-86877
RHEL-07-040400
SV-86487
RHEL-07-010050
SV-86589
RHEL-07-010500
SV-86843
RHEL-07-040100
SV-86939
RHEL-07-040810
SV-86933
RHEL-07-040740
SV-86621
RHEL-07-020250
SV-86837
RHEL-07-032000
SV-86691
RHEL-07-021350
SV-86697
RHEL-07-021620
SV-86473
RHEL-07-010010
SV-86473
RHEL-07-010010
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
SV-86571
RHEL-07-010340
Operating system must display the date and time of the last successful account logon upon logon
SV-86899
RHEL-07-040530
SV-86711
RHEL-07-030320
SV-95729
RHEL-07-030201
User Must Not Be Allowed To Change Password More-frequently than once per 24 hours
SV-86551
RHEL-07-010240
SV-86555
RHEL-07-010260
User Must Be Provided Adequate Warning Of Password-Expiration
User Account Must Be Expired N Days After Password Has Expired
SV-86565
RHEL-07-010310
For Operating Systems Using DNS Resolution, At Least Two Name Servers Must Be Configured
SV-204608
RHEL-07-040600
The OS Must Elevate The SELinux Context When An Administrator Calls The Sudo Command
SV-250314
RHEL-07-020023
Use Only FIPS 140-2 Validated Ciphers¶
Invalid Finding:
Watchmaker implements setting valid through EL7 STIGv2R6 (released: October 2019)
Use Only FIPS 140-2 Validated MACs¶
Invalid Finding: Watchmaker implements setting valid through EL7 STIGv2R6 (released: October 2019)
Enable Smart Card Login¶
Conditionally-Valid Finding:
Smart Card Login use and configuration is site-specific. Site has not provided specification for implementing this setting within scanned context.
Configure the Firewalld Ports¶
Invalid Finding:
Watchmaker implements setting. However, scanner regex may not be sufficiently-flexible in its specification.
Set Default firewalld Zone for Incoming Packets¶
Conditionally-Valid Finding:
Enabling “drop” as the default firewald zone breaks things like ping-sweeps (used by some IPAM solutions, security-scanners, etc.). Some sites will request the “drop” zone not be used. Scan-profiles should be updated to reflect the need to not have “drop” be the active zone.
Disable Kernel Parameter for IP Forwarding¶
Invalid Finding:
The prescribed net.ipv4.ip_forward
value is set by watchmaker in /etc/sysctl.d/99-sysctl.conf
. Executing sysctl net.ipv4.ip_forward
on watchmaker-hardened system returns expected net.ipv4.ip_forward = 0
result
The Installed Operating System Is Vendor Supported¶
Invalid Finding:
No programmatic validation or remediation prescribed or universally-implementable: requires manual validation with OS-vendor lifecycle information page(s).
Install McAfee Virus Scanning Software¶
Conditionally-Valid Finding:
Where configured to do so, watchmaker will install HBSS or VSEL. Any scan-findings on systems watchmaker has been configured to install HBSS or VSEL are typically due to version mismatches between installed and scanned-for versions
Where required/scanned for but not installed, site will need to specify automatable installation-method that will produce match againste scanned-for configuration
Where not required, scanner should either be reconfigured not to scan for presence or scan-results should be ignored
Enable FIPS Mode in GRUB2¶
Conditionally-Valid Finding:
Both spel and watchmaker implement fips=1
by default. If finding occurs, either:
There is an error in scanner’s validation-method
System has been intentionally de-configured for FIPS — typically due to hosted-software’s requirements — and scanned-system will need to be granted a deployment security-exception.
Configure AIDE to Use FIPS 140-2 for Validating Hashes¶
Invalid Finding:
Because there is more than one way to implement this setting, scanners typically do not perform a real scan for this setting. Instead some scanners implement a null-test to flag the configuration-item to try to force a manual review. Watchmaker implements this configuration-titem by setting NORMAL = FIPSR+sha512
in the /etc/aide.conf
file: may be manually validated by executing grep NORMAL\ = /etc/aide.conf
.
Verify and Correct Ownership with RPM¶
Invalid Finding:
Flags on system-journal ownership: Journal ownership settings are automatically reset by systemd (upon reboot) after hardening has run. Currently, no means of permanently remediating is possible.
Similarly, if HBSS or VSEL is installed, scan may flag on user-ownership depending on how site specifies installation of HBSS or VSEL. One would reasonably expect similar for other, third-party packages. “Fixing” (per STIG guidance) would likely break the functioning of the HBSS/VSEL (or third-party) software
Verify and Correct File Permissions with RPM¶
Invalid Finding:
Flags on system-journal ownership: Journal ownership settings are automatically reset by systemd (upon reboot) after hardening has run. Currently, no means of permanently remediating is possible.
May also flag on vendor-delivered CA-trust files which are dynamicly-injected into relevant trust-stores. Currently, no known means of permanently remediating is possible.
May flag on third-party tools’ (e.g., Splunk) config, log and other files
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD¶
Conditionally-Valid Finding:
Flagged-configuration is frequently required for properly enabling a “break-glass” account at provisioning-time. This is especially so in consoleless environments (like AWS). Disable scan or ignore scan-findings when such accounts are required.
Operating system must display the date and time of the last successful account logon upon logon¶
Invalid Finding:
Some scanners implement a scan equivalent to:
grep -P '^[\s]*[^\s#]+[ \t]+[\[\]\w=]+[ \t]+pam_lastlog\.so[ \t]+([\S \t]+)\s*$' /etc/pam.d/postlogin
To try to determine if PAM’s showfailed
module is properly activated. These scanners typically only expect a single line of output that looks like:
session required pam_lastlog.so showfailed
However, on a system that watchmaker has been applied to, the scan-return will typically look like:
session required pam_lastlog.so showfailed
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed
If the scanner does not properly handle this multi-line output, it will report a failure even though the required configuration-fixes are actually in place and functioning as desired.
Operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full¶
Invalid Finding:
The disk_full_action
is configured. However, it is not configured where scanners may be configured to look for it. The STIG-prescribed method expects configuration through the audisp-remote
subsystem. Since configuration of the audisp-remote
subsystem is inherently site-specific, generic executions of watchmaker do not attempt to configure it. Instead, watchmaker handles the disk_full_action
configuration-item via the main audit subsystem. This can be confirmed by executing:
( find /etc/audisp -type f ; find /etc/audit -type f ) | xargs grep disk_full_action
Executing the above should return something like:
/etc/audit/auditd.conf:disk_full_action = SUSPEND
Operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited¶
Invalid Finding:
Configuration of the audisp-remote
subsystem is inherently site-specific: quite frequently, the audisp-remote
subsystem is wholly supplanted by other offload-methods (e.g., Splunk, FluentBit, CloudWatch Logs, etc.). Therefore, neither generic executions of watchmaker nor executions that include configuration of audisp-remote
alternatives will attempt to configure it.
User Must Not Be Allowed To Change Password More-Frequently than once per 24 hours¶
Typically caused when a user is created via a service/process like cloud-init
: the resulting user may not have its password-aging mindays
parameter (field #4 in /etc/shadow
) set
User Must Change Password At Least Once Every Sixty Days¶
Typically caused when a user is created via a service/process like cloud-init
: the resulting user may not have its password-aging maxdays
parameter (field #5 in /etc/shadow
) set
User Must Be Provided Adequate Warning Of Password-Expiration¶
Typically caused when a user is created via a service/process like cloud-init
: the resulting user may not have its password-aging warndays
parameter (field #6 in /etc/shadow
) set
User Account Must Be Expired N Days After Password Has Expired¶
Typically caused when a user is created via a service/process like cloud-init
: the resulting user may not have its password-aging inactivedays
parameter (field #7 in /etc/shadow
) set
For Operating Systems Using DNS Resolution, At Least Two Name Servers Must Be Configured¶
Conditionally Valid:
Only valid in environments where individually-defined DNS servers are not highly-available.
When deployed into environments where DNS is provided through a highly-available service with a highly-available service-name, only one DNS server will be configured into the host’s /etc/resolv.conf
– typically by way of a DHCP option-set.
The OS Must Elevate The SELinux Context When An Administrator Calls The Sudo Command¶
Conditionally Valid:
Implementation of this finding’s technical controls changes how the sudo
commands are executed. Some EL7 tooling (at least one third-party authentication subsystem is known to break under this new control) is incompatible with implementing this control. For systems where this control breaks functionality, and must be disabled, this will be a valid finding that should be included in any exception documentation and associated organizational-processes. Otherwise the system should be configured to meet this control.
Further Notes:
Implementing this control can have significant user-education requirements and can also adversely-impact legacy automation. While these should be non-fatal problems – only requiring user-education or fine-tuning of legacy automation, the control still should be implemented.
As implemented in this project, the modifications to the relevnt
/etc/sudoers.d
files may create sub-optimal SELinux transistions. If so, it will be up to the watchmaker-user to deactivate theash-linux.el7.STIGbyID.cat2.RHEL-07-020023
(see the pillar.example file in the ash-linux-formula project; see also the associated README file for further elaboration) and then provide their own mapping-modifications as a substitute. Deactivation can be done via theash-linux:lookup:skip-stigs
list-variable in Pillar.