Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL 9 STIG Update Q1 2023 #10185

Merged
merged 59 commits into from
Mar 1, 2023
Merged

RHEL 9 STIG Update Q1 2023 #10185

Changes from 1 commit
Commits
Show all changes
59 commits
Select commit Hold shift + click to select a range
c27d934
RHEL 9 STIG Import Whitespace Changes
Mab879 Feb 7, 2023
cef09e9
Remove variables from product specific content
Mab879 Feb 7, 2023
2c38c4c
Update SSH key permissions for RHEL 9 STIG
Mab879 Feb 7, 2023
45f48ce
Escape < and > in product specific content
Mab879 Feb 7, 2023
d5f337e
Update kernel module disabling product specific content for RHEL 9 STIG
Mab879 Feb 7, 2023
c7aa50f
Update crypto policy for policy specific content
Mab879 Feb 7, 2023
e73aad3
Fix capitalization in accounts_passwords_pam_faillock_unlock_time for…
Mab879 Feb 7, 2023
38bde59
Fix small errors in account_emergency_expire_date policy specifc content
Mab879 Feb 7, 2023
bbd418a
Update rules about unauthorized accounts in policy specific content
Mab879 Feb 7, 2023
ea2b0c5
Update accounts_password_set_min_life_existing to use passwd
Mab879 Feb 7, 2023
03dfaae
Clean up security_patches_up_to_date for policy specifc content
Mab879 Feb 7, 2023
e8874f0
Update SSH crypto rules in policy specific content
Mab879 Feb 7, 2023
7243f67
Fix up accounts_user_interactive_home_directory_defined for policy sp…
Mab879 Feb 7, 2023
98f58d0
Update auditd_audispd_configure_sufficiently_large_partition policy s…
Mab879 Feb 7, 2023
68e140c
Update file_groupowner_grub2_cfg to use group-owner in PSC
Mab879 Feb 7, 2023
92d4194
Update dconf_gnome_disable_ctrlaltdel_reboot for poliy specific content
Mab879 Feb 7, 2023
99c1f63
Remove extraneous text from grub2_password for PSC
Mab879 Feb 7, 2023
7439835
More update to network_configure_name_resolution for PSC
Mab879 Feb 7, 2023
4ec187c
Add RHEL 9 specific content for installed_OS_is_vendor_supported
Mab879 Feb 8, 2023
1a13369
Add kernel_module_sctp_disabled to the RHEL 9 STIG
Mab879 Feb 8, 2023
f94161f
Add accounts_password_pam_unix_rounds_* rules to RHEL 9 STIG
Mab879 Feb 8, 2023
8d6b13f
Add package_audispd-plugins_installed to RHEL 9 STIG
Mab879 Feb 8, 2023
9c06cc2
Minor fix on configure_openssl_tls_crypto_policy for RHEL 9 STIG
Mab879 Feb 8, 2023
033fad3
Update configure_crypto_policy for RHEL 9 STIG
Mab879 Feb 8, 2023
b77974c
Fix `&gt` to `&gt;` for audit rules in RHEL 9 STIG
Mab879 Feb 9, 2023
693d054
Add package_nss-tools_installed to RHEL 9 STIG
Mab879 Feb 9, 2023
a0dbe74
Always use aide_periodic_cron_checking for the RHEL 9 STIG
Mab879 Feb 9, 2023
8581d76
Add two rules to SRG-OS-000021-GPOS-00005 for the RHEL 9 STIG
Mab879 Feb 9, 2023
5fb3fd8
Add PSC content for kernel_module_sctp_disabled
Mab879 Feb 9, 2023
39fd633
Add PSC content for package_audispd-plugins_installed
Mab879 Feb 9, 2023
172fbf6
Fix file_groupowner_grub2_cfg to be group owner
Mab879 Feb 10, 2023
2488fb6
Fix up kernel_module_sctp_disabled
Mab879 Feb 10, 2023
6fae90f
Clean up sysctl_net_ipv4_icmp_echo_ignore_broadcasts
Mab879 Feb 10, 2023
edbcbff
Fix fix -> fixtext package_nss-tools_installed
Mab879 Feb 13, 2023
780bc53
Move audit_rules_login_events_faillock to use /var/log/faillock
Mab879 Feb 13, 2023
00a641c
Add check text to package_audispd-plugins_installed
Mab879 Feb 13, 2023
98e6fd7
Fix RHEL 9 to full_name in RHEL 9 STIG
Mab879 Feb 13, 2023
48d1b9d
check -> checktext in RHEL 9 STIG
Mab879 Feb 13, 2023
8d2d7eb
Update PSC file_permissions_sshd_private_key for RHEL 9
Mab879 Feb 13, 2023
2cccb91
Update ensure_redhat_gpgkey_installed PSC for RHEL 9 STIG
Mab879 Feb 13, 2023
47e0fed
Update harden_sshd_ciphers_opensshserver_conf_crypto_policy PSC for R…
Mab879 Feb 13, 2023
96e19ba
Update harden_sshd_ciphers_openssh_conf_crypto_policy PSC for RHEL 9 …
Mab879 Feb 13, 2023
0f82881
Update harden_sshd_ciphers_openssh_conf_crypto_policy PSC for RHEL 9 …
Mab879 Feb 13, 2023
6e9c68c
Add checktext to kernel_module_sctp_disabled for RHEL 9 STIG
Mab879 Feb 13, 2023
6898144
Update checktext for accounts_umask_interactive_users in RHEL 9 STIG
Mab879 Feb 13, 2023
65b56f6
Update vuldiscussion in ssh_keys_passphrase_protected for RHEL 9 STIG
Mab879 Feb 13, 2023
5147496
Fix accounts_passwords_pam_faillock_unlock_time PSC content
Mab879 Feb 14, 2023
892dd10
Ensure that < and > HTML encoding have a semicolon
Mab879 Feb 14, 2023
2ceb059
Add check text for accounts_password_pam_unix_rounds-*
Mab879 Feb 14, 2023
2f68102
Adjust MACs for RHEL 9 STIG in SSHD
Mab879 Feb 14, 2023
ed127a5
Minor fix in grub2_admin_username PSC for RHEL 9 STIG
Mab879 Feb 14, 2023
92ece34
Update no_shelllogin_for_systemaccounts PSC for RHEL 9 STIG
Mab879 Feb 14, 2023
b00d558
Minor change to grub2_audit_backlog_limit_argument
Mab879 Feb 14, 2023
1a10f81
Update rsyslog_nolisten PSC for RHEL 9 STIG
Mab879 Feb 14, 2023
8a722d4
Update harden_sshd_macs_openssh_conf_crypto_policy PSC for RHEL 9 STIG
Mab879 Feb 14, 2023
144e98e
Update bios_enable_execution_restrictions PSC for RHEL 9 STIG
Mab879 Feb 14, 2023
87ef627
Update rules for RHEL 9 SIG
Mab879 Feb 14, 2023
e87da47
Resolve issues found in review of #10185
Mab879 Feb 28, 2023
d9fb321
Adjust fixtext in accounts_password_pam_pwhistory_remember_password_auth
Mab879 Mar 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 15 additions & 16 deletions ...missions/restrictions/enable_nx/bios_enable_execution_restrictions/policy/stig/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,14 @@
srg_requirement: |-
{{{ full_name }}} Must Implement Non-Executable Data To Protect Its Memory From Unauthorized Code Execution.
{{{ full_name }}} must implement non-executable data to protect its memory from unauthorized code execution.

vuldiscussion: |-
Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
allow users to turn the feature on or off at will.
ExecShield uses the segmentation feature on all x86 systems to prevent
execution in memory higher than a certain address. It writes an address as
a limit in the code segment descriptor, to control where code can be
executed, on a per-process basis. When the kernel places a process's memory
regions such as the stack and heap higher than this address, the hardware
prevents execution in that address range. This is enabled by default on the
latest Red Hat and Fedora systems if supported by the hardware.

checktext: |-
Verify the NX (no-execution) bit flag is set on the system.
Expand All @@ -16,20 +21,14 @@ checktext: |-

If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command:

$ sudo grep flags /proc/cpuinfo
flags : fpu vme de pse tsc ms nx rdtscp lm constant_ts
$ sudo less /proc/cpuinfo | grep -i flags
Mab879 marked this conversation as resolved.
Show resolved Hide resolved
flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc

The output should contain the "nx" flag.
If "flags" does not contain the "nx" flag, this is a finding.

Then, verify that there are no log messsages stating that NX is disabled in the system log. Run the following command:
$ sudo grep -P "^.+protection: disabled.+" /var/log/dmesg
The output should be empty.

Then, check that NX is not disabled in the kernel command line.
$ sudo grep -P ".+noexec[0-9]*=off.+" /proc/cmdline
The output should be empty.
fixtext: |-
Update the GRUB 2 bootloader configuration.

If NX is disabled, then this is a finding.
Run the following command:

fixtext: |-
The NX bit execute protection must be enabled in the system BIOS.
$ sudo grubby --update-kernel=ALL --remove-args=noexec
Mab879 marked this conversation as resolved.
Show resolved Hide resolved