Common Scan Findings

There is frequently more than one way to achieve a given hardening-recommendation. As such, generic security scanners may produce alerts/findings that are at odds with the actual system state implemented by Watchmaker. The following are frequently-cited findings and explanations for why a scanner may alert on the Watchmaker-managed configuration-state.

Common Scan Findings for EL7

• Findings Summary-Table
• Use Only FIPS 140-2 Validated Ciphers
• Use Only FIPS 140-2 Validated MACs
• Modify the System Login Banner
• Enable Smart Card Login
• Configure the Firewalld Ports
• Set Default firewalld Zone for Incoming Packets
• Disable Kernel Parameter for IP Forwarding
• The Installed Operating System Is Vendor Supported
• Install McAfee Virus Scanning Software
• Enable FIPS Mode in GRUB2
• Configure AIDE to Use FIPS 140-2 for Validating Hashes
• Verify and Correct Ownership with RPM
• Verify and Correct File Permissions with RPM
• Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
• Operating system must display the date and time of the last successful account logon upon logon
• Operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full
• Operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited
• User Must Not Be Allowed To Change Password More-Frequently than once per 24 hours
• User Must Change Password At Least Once Every Sixty Days
• User Must Be Provided Adequate Warning Of Password-Expiration
• User Account Must Be Expired N Days After Password Has Expired
• For Operating Systems Using DNS Resolution, At Least Two Name Servers Must Be Configured
• The OS Must Elevate The SELinux Context When An Administrator Calls The Sudo Command

Common Scan Findings for EL8

• Findings Summary-Table
• Prevent System Daemons From Using Kerberos For Authentication
• Users Must Provide A Password For Privilege Escalation
• A Separate Filesystem Must Be Used For the /tmp Directory
• The OS must mount /tmp with the nodev option
• The OS must mount /tmp with the nosuid option
• The OS must mount /tmp with the noexec option
• The OS Must Ensure Session Control Is Automatically Started At Shell Initialization
• User Account Passwords Must Be Restricted To A 60-Day Maximum Lifetime
• OS Must Prohibit Password Reuse For A Minimum Of Five Generations
• The Installed Operating System Is Not Vendor Supported
• All Remote Access Methods Must Be Monitored
• All Content In A User’s Home Directory Must Be Group-Owned By The Primary User
• “Only Authorized Local User Accounts Exist on Operating System” is always flagged
• All Interactive User Home Directory Files Must Be Mode 0750 Or Less Permissive
• Add nosuid Option to /boot
• Configure Multiple DNS Servers in /etc/resolv.conf
• Enable Certmap in SSSD
• Verify that Shared Library Directories Have Root Ownership
• Oracle Linux 8 STIGs Specify Conflicting ClientAliveCountMax values
• Record Events When Privileged Executables Are Run
• EL 8 systems less than v8.4 must configure the password complexity module in the system-auth allow three retries or less
• EL 8 must enable the hardware random number generator entropy gatherer service