diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml deleted file mode 100644 index 749efa9..0000000 --- a/.github/workflows/ansible-lint.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Ansible Lint -on: - - push - - pull_request_target - -env: - ANSIBLE_GALAXY_SERVER_AH_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AH_TOKEN }} - -jobs: - build: - name: Ansible Lint - runs-on: ubuntu-latest - steps: - # this action implicitly calls actions/checkout - - name: Run ansible-lint - uses: ansible/ansible-lint@v6.18.0 diff --git a/.github/workflows/linter.yml.old b/.github/workflows/linter.yml.old deleted file mode 100644 index 7b24f2c..0000000 --- a/.github/workflows/linter.yml.old +++ /dev/null @@ -1,50 +0,0 @@ ---- -########################### -########################### -## Linter GitHub Actions ## -########################### -########################### -name: Lint Code Base - -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# -on: [push, pull_request] - -############### -# Set the Job # -############### -jobs: - build: - # Name the Job - name: Lint Code Base - # Set the agent to run on - runs-on: ubuntu-latest - - ################## - # Load all steps # - ################## - steps: - ########################## - # Checkout the code base # - ########################## - - name: Checkout Code - uses: actions/checkout@v2 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - ################################ - # Run Linter against code base # - ################################ - - name: Lint Code Base - uses: github/super-linter@v4 - env: - VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: main - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 0000000..5444cdd --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,19 @@ +--- +name: pre-commit +on: + - push + - pull_request_target + +env: + ANSIBLE_GALAXY_SERVER_AH_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_AH_TOKEN }} + +jobs: + pre-commit: + name: pre-commit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + - uses: pre-commit/action@v3.0.1 + +... diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..764d690 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,41 @@ +--- +name: release + +on: + push: + branches: + - main + tags: + - "v*.*.*" + + workflow_run: + workflows: ["pre-commit"] + types: + - completed + +jobs: + release: + name: Release Job + runs-on: ubuntu-latest + if: startsWith(github.ref, 'refs/tags/v') + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Install go (required for Changelog parsing) + uses: actions/setup-go@v4 + + - name: Parse CHANGELOG.md + run: | + GO111MODULE=on go install github.com/rcmachado/changelog@0.7.0 + changelog show "$GITHUB_REF_NAME" > ${{ github.workspace }}-CHANGELOG.txt + echo "Release note for $GITHUB_REF_NAME :" + cat ${{ github.workspace }}-CHANGELOG.txt + + - name: Release + uses: softprops/action-gh-release@v1 + with: + body_path: ${{ github.workspace }}-CHANGELOG.txt + files: | + LICENSE + CHANGELOG.md diff --git a/.gitignore b/.gitignore index bb9433c..da93076 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ - +ansible-navigator.log sean_login_info.yml .DS_Store choose_demo.yml @@ -6,6 +6,7 @@ choose_demo_example_azure.yml choose_demo_example_aws.yml .ansible.cfg *.gz - -**/roles/* -!**/roles/requirements.yml +*artifact*.json +roles/* +!roles/requirements.yml +.deployment_id diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d6f431d..7a17953 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,13 +4,30 @@ repos: rev: v4.4.0 hooks: - id: end-of-file-fixer + exclude: rhel[89]STIG/.*$ + - id: trailing-whitespace + exclude: rhel[89]STIG/.*$ + + - id: check-yaml + exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$ + args: [--unsafe] # see https://github.com/pre-commit/pre-commit-hooks/issues/273 + + - id: check-toml + - id: check-json + - id: check-symlinks + - repo: https://github.com/ansible/ansible-lint.git # get latest release tag from https://github.com/ansible/ansible-lint/releases/ - rev: v6.18.0 + rev: v6.20.3 hooks: - id: ansible-lint additional_dependencies: - jmespath + - repo: https://github.com/psf/black-pre-commit-mirror + rev: 23.11.0 + hooks: + - id: black + exclude: rhel[89]STIG/.*$ ... diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3a54dee..7f3bc6f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -18,6 +18,7 @@ This document aims to outline the requirements for the various forms of contribu - PRs should be rebased against the `main` branch to avoid conflicts. - PRs should not impact more than a single directory/demo section. - PRs should not rely on external infrastructure or configuration unless the dependency is automated or specified in the `user_message` of `setup.yml`. +- PR titles should describe the work done in the PR. Titles should not be generic ("Added new demo") and should not refer to an issue number ("Fix for issue #123"). ## Adding a New Demo 1) Create a new branch based on main. (eg. `git checkout -b `) @@ -31,7 +32,7 @@ This document aims to outline the requirements for the various forms of contribu 1) You can copy paste an existing one and edit it. 2) Ensure you edit the name, playbook path, survey etc. 5) Add any needed roles/collections to the [requirements.yml](/collections/requirements.yml) -6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link), specify your branch name within the project configuration. +6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?search=product&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod), specifying your branch name within the project configuration. > NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account. @@ -43,17 +44,29 @@ This document aims to outline the requirements for the various forms of contribu --- user_message: '' - controller_components: - - job_templates - controller_templates: ... ``` - - `controller_components` can be any of the roles defined [here](https://github.com/redhat-cop/controller_configuration/tree/devel/roles) + - Configuration variables can be from any of the roles defined in the [infra.controller_configuration collection](https://github.com/redhat-cop/controller_configuration/tree/devel/roles) - Add variables for each component listed 3) Include a README.md in the subdirectory ## Testing -To run `ansible-lint` you will need to set an environment variable for the token to connect to Automation Hub. You can get a token from [here](https://console.redhat.com/ansible/automation-hub/token). -Copy the value of the token and run `export ANSIBLE_GALAXY_SERVER_AH_TOKEN=` +We utilize pre-commit to handle Git hooks, initiating a pre-commit check with each commit, both locally and on CI. + +To install pre-commit, use the following commands: +```bash +pip install pre-commit +pre-commit install +``` + +For further details, refer to the [pre-commit installation documentation](https://pre-commit.com/#installation). + +To execute ansible-lint (whether within pre-commit or independently), you must configure an environment variable for the token required to connect to Automation Hub. Obtain the token [here](https://console.redhat.com/ansible/automation-hub/token). + +Copy the token value and execute the following command: + +```bash +export ANSIBLE_GALAXY_SERVER_AH_TOKEN= +``` diff --git a/README.md b/README.md index 376c982..5d5b5f2 100644 --- a/README.md +++ b/README.md @@ -19,25 +19,31 @@ If you would like to contribute to this project please refer to [contribution gu ## Using this project -This project is tested for compatibility with the [demo.redhat.com Product Demos Sandbox]([red.ht/aap-product-demos](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link)) lab environment. To use with other Ansible Controller installations, review the [prerequisite documentation](https://github.com/RedHatGov/ansible-tower-samples). +This project is tested for compatibility with the [demo.redhat.com Product Demos Sandbox](https://demo.redhat.com/catalog?search=product+demos&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod) lab environment. To use with other Ansible Controller installations, review the [prerequisite documentation](https://github.com/RedHatGov/ansible-tower-samples). > NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account. 1. First you must create a credential for [Automation Hub](https://console.redhat.com/ansible/automation-hub/) to successfully sync collections used by this project. - + 1. In the Credentials section of the Controller UI, add a new Credential called `Automation Hub` with the type `Ansible Galaxy/Automation Hub API Token` 2. You can obtain a token [here](https://console.redhat.com/ansible/automation-hub/token). This page will also provide the Server URL and Auth Server URL. 3. Next, click on Organizations and edit the `Default` organization. Add your `Automation Hub` credential to the `Galaxy Credentials` section. Don't forget to click **Save**!! > You can also use an execution environment for disconnected environments. To do this, you must disable collection downloads in the Controller. This can be done in `Settings` > `Job Settings`. This setting prevents the controller from downloading collections listed in the [collections/requirements.yml](collections/requirements.yml) file. -2. If it is not already created for you, create a Project called `Ansible official demo project` with this repo as a source. NOTE: if you are using a fork, be sure that you have the correct URL. Update the project. +2. If it is not already created for you, add an Execution Environment called `product-demos` + + - Name: product-demos + - Image: quay.io/acme_corp/product-demos-ee:latest + - Pull: Only pull the image if not present before running + +3. If it is not already created for you, create a Project called `Ansible official demo project` with this repo as a source. NOTE: if you are using a fork, be sure that you have the correct URL. Update the project. + +4. Finally, Create a Job Template called `Setup` with the following configuration: -3. Finally, Create a Job Template called `Setup` with the following configuration: - - Name: Setup - Inventory: Demo Inventory - - Exec Env: Control Plane EE + - Exec Env: product-demos - Playbook: setup_demo.yml - Credentials: - Type: Red Hat Ansible Automation Platform diff --git a/ansible.cfg b/ansible.cfg index 321f02a..b023517 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,12 +1,14 @@ [defaults] -collections_paths=./collections +collections_path=./collections roles_path=./roles [galaxy] server_list = ah,galaxy [galaxy_server.ah] -#url=https://cloud.redhat.com/api/automation-hub/ +# Grab a token at https://console.redhat.com/ansible/automation-hub/token +# Then define it using ANSIBLE_GALAXY_SERVER_AH_TOKEN="" + url=https://console.redhat.com/api/automation-hub/content/published/ auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token diff --git a/cloud/README.md b/cloud/README.md index 7ef5e41..93aeb38 100644 --- a/cloud/README.md +++ b/cloud/README.md @@ -10,7 +10,7 @@ - [Configure Credentials](#configure-credentials) - [Add Workshop Credential Password](#add-workshop-credential-password) - [Remove Inventory Variables](#remove-inventory-variables) - - [Getting your Puiblic Key for Create Keypair Job](#getting-your-puiblic-key-for-create-keypair-job) + - [Getting your Public Key for Create Keypair Job](#getting-your-public-key-for-create-keypair-job) - [Suggested Usage](#suggested-usage) - [Known Issues](#known-issues) @@ -49,11 +49,11 @@ After running the setup job template, there are a few steps required to make the 1) Remove Workshop Inventory variables on the Details page of the inventory. Required until [RFE](https://github.com/ansible/workshops/issues/1597]) is complete -### Getting your Puiblic Key for Create Keypair Job +### Getting your Public Key for Create Keypair Job 1) Connect to the command line of your Controller server. This is easiest to do by opening the VS Code Web Editor from the landing page where you found the Controller login details. 2) Open a Terminal Window in the VS Code Web Editor. -3) SSH to one of your linux nodes (eg. `ssh node1`). This should log you into the node as `ec2-user` +3) SSH to one of your linux nodes (eg. `ssh aws_rhel9`). This should log you into the node as `ec2-user` 4) `cat .ssh/authorized_keys` and copy the key listed including the `ssh-rsa` prefix @@ -66,4 +66,4 @@ After running the setup job template, there are a few steps required to make the **Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances. ## Known Issues -Azure does not work without a custom execution environment that includes the Azure dependencies. \ No newline at end of file +Azure does not work without a custom execution environment that includes the Azure dependencies. diff --git a/cloud/create_vpc.yml b/cloud/create_vpc.yml index 4afd4e7..5fd25e8 100644 --- a/cloud/create_vpc.yml +++ b/cloud/create_vpc.yml @@ -122,3 +122,12 @@ Name: "{{ aws_rt_name }}" owner: "{{ aws_owner_tag }}" purpose: "{{ aws_purpose_tag }}" + + - name: Set VPC stats + ansible.builtin.set_stats: + data: + __aws_region: '{{ create_vm_aws_region }}' + __aws_vpc_id: '{{ aws_vpc.vpc.id }}' + __aws_vpc_cidr: '{{ aws_vpc_cidr_block }}' + __aws_subnet_id: '{{ aws_subnet.subnet.id }}' + __aws_subnet_cidr: '{{ aws_subnet_cidr }}' diff --git a/cloud/setup.yml b/cloud/setup.yml index f3d7a83..e04653f 100644 --- a/cloud/setup.yml +++ b/cloud/setup.yml @@ -1,90 +1,8 @@ --- +_deployment_id: "{{ lookup('file', playbook_dir + '/.deployment_id') }}" + user_message: -controller_components: - - execution_environments - - projects - - credentials - - inventory_sources - - groups - - job_templates - - workflow_job_templates - -controller_execution_environments: - - name: Cloud Services Execution Environment - image: quay.io/scottharwell/cloud-ee:latest - -controller_projects: - - name: Ansible Cloud Content Lab - AWS - organization: Default - scm_type: git - wait: true - scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git - default_environment: Cloud Services Execution Environment - -controller_credentials: - - name: AWS - credential_type: Amazon Web Services - organization: Default - update_secrets: false - inputs: - username: REPLACEME - password: REPLACEME - -# - name: Azure -# credential_type: Microsoft Azure Resource Manager -# organization: Default -# update_secrets: false -# inputs: -# subscription: REPLACEME - -controller_inventory_sources: - - name: AWS Inventory - organization: Default - source: ec2 - inventory: Demo Inventory - credential: AWS - overwrite: true - source_vars: - hostnames: - - tag:Name - compose: - ansible_host: public_ip_address - ansible_user: 'ec2-user' - groups: - cloud_aws: true - os_linux: tags.blueprint.startswith('rhel') - keyed_groups: - - key: platform - prefix: os - - key: tags.blueprint - prefix: blueprint - - key: tags.owner - prefix: owner - -# - name: Azure Inventory -# organization: Default -# source: azure_rm -# inventory: Demo Inventory -# credential: Azure -# execution_environment: Ansible Engine 2.9 execution environment -# overwrite: true -# source_vars: -# hostnames: -# - tags.Name -# - default -# keyed_groups: -# - key: os_profile.system -# prefix: os -# conditional_groups: -# cloud_azure: true - -controller_groups: - - name: cloud_aws - inventory: Demo Inventory - variables: - ansible_user: ec2-user - controller_templates: - name: Cloud / AWS / Create Peer Infrastructure job_type: run @@ -92,7 +10,7 @@ controller_templates: credentials: - AWS project: Ansible Cloud Content Lab - AWS - playbook: playbook_create_peer_network.yml + playbook: playbooks/create_peer_network.yml inventory: Demo Inventory notification_templates_started: Telemetry notification_templates_success: Telemetry @@ -108,7 +26,7 @@ controller_templates: credentials: - AWS project: Ansible Cloud Content Lab - AWS - playbook: playbook_delete_peer_network.yml + playbook: playbooks/delete_peer_network.yml inventory: Demo Inventory notification_templates_started: Telemetry notification_templates_success: Telemetry @@ -122,7 +40,7 @@ controller_templates: credentials: - AWS project: Ansible Cloud Content Lab - AWS - playbook: playbook_create_transit_network.yml + playbook: playbooks/create_transit_network.yml inventory: Demo Inventory notification_templates_started: Telemetry notification_templates_success: Telemetry @@ -138,7 +56,7 @@ controller_templates: credentials: - AWS project: Ansible Cloud Content Lab - AWS - playbook: playbook_delete_transit_network.yml + playbook: playbooks/delete_transit_network.yml inventory: Demo Inventory notification_templates_started: Telemetry notification_templates_success: Telemetry @@ -146,153 +64,20 @@ controller_templates: extra_vars: aws_region: us-east-1 - - name: Cloud / AWS / Create VPC - job_type: run - organization: Default - credentials: - - AWS - project: Ansible official demo project - playbook: cloud/create_vpc.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: create_vm_aws_region - required: true - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - question_name: Owner - type: text - variable: aws_owner_tag - required: true - - - name: Cloud / AWS / Create VM - job_type: run - organization: Default - credentials: - - AWS - - Demo Credential - project: Ansible Cloud Content Lab - AWS - playbook: playbook_create_vm.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - allow_simultaneous: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: create_vm_aws_region - required: true - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - question_name: Name - type: text - variable: create_vm_vm_name - required: true - - question_name: Owner - type: text - variable: create_vm_vm_owner - required: true - - question_name: Deployment - type: text - variable: create_vm_vm_deployment - required: true - - question_name: Environment - type: multiplechoice - variable: create_vm_vm_environment - required: true - choices: - - Dev - - QA - - Prod - - question_name: Blueprint - type: multiplechoice - variable: vm_blueprint - required: true - choices: - - windows_core - - windows_full - - rhel9 - - rhel8 - - rhel7 - - al2023 - - question_name: Subnet - type: text - variable: create_vm_aws_vpc_subnet_name - required: true - default: aws-test-subnet - - question_name: Security Group - type: text - variable: create_vm_aws_securitygroup_name - required: true - default: aws-test-sg - - question_name: SSH Keypair - type: text - variable: create_vm_aws_keypair_name - required: true - default: aws-test-key - - question_name: AWS Instance Type (defaults to blueprint value) - type: text - variable: create_vm_aws_instance_size - required: false - - question_name: AWS Image Filter (defaults to blueprint value) - type: text - variable: create_vm_aws_image_filter - required: false - - - name: Cloud / AWS / Delete VM - job_type: run - organization: Default - credentials: - - AWS - - Demo Credential - project: Ansible Cloud Content Lab - AWS - playbook: playbook_delete_inventory_vm.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: Name or Pattern - type: text - variable: _hosts - required: true - - name: Cloud / AWS / VPC Report job_type: run organization: Default credentials: - AWS project: Ansible Cloud Content Lab - AWS - playbook: playbook_create_reports.yml + playbook: playbooks/create_reports.yml inventory: Demo Inventory notification_templates_started: Telemetry notification_templates_success: Telemetry notification_templates_error: Telemetry extra_vars: aws_report: vpc + reports_aws_bucket_name: reports-pd-{{ _deployment_id }} survey_enabled: true survey: name: '' @@ -314,13 +99,14 @@ controller_templates: credentials: - AWS project: Ansible Cloud Content Lab - AWS - playbook: playbook_create_reports.yml + playbook: playbooks/create_reports.yml inventory: Demo Inventory notification_templates_started: Telemetry notification_templates_success: Telemetry notification_templates_error: Telemetry extra_vars: aws_report: tags + reports_aws_bucket_name: reports-pd-{{ _deployment_id }} survey_enabled: true survey: name: '' @@ -336,45 +122,6 @@ controller_templates: - us-west-1 - us-west-2 - - name: Cloud / AWS / Create Keypair - job_type: run - organization: Default - credentials: - - AWS - project: Ansible official demo project - playbook: cloud/aws_key.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: create_vm_aws_region - required: true - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - question_name: Keypair Name - type: text - variable: aws_key_name - required: true - default: aws-test-key - - question_name: Keypair Public Key - type: textarea - variable: aws_public_key - required: true - - question_name: Owner - type: text - variable: aws_keypair_owner - required: true - - name: Cloud / AWS / Snapshot EC2 job_type: run organization: Default @@ -523,19 +270,30 @@ controller_workflows: - identifier: VPC Report unified_job_template: Cloud / AWS / VPC Report all_parents_must_converge: true - success_nodes: - - Deploy Windows Blueprint + always_nodes: + - Deploy Windows GUI Blueprint - Deploy RHEL8 Blueprint - Deploy RHEL9 Blueprint - - identifier: Deploy Windows Blueprint + - Deploy Windows Core Blueprint + - Deploy Report Server + - identifier: Deploy Windows GUI Blueprint unified_job_template: Cloud / AWS / Create VM extra_data: - create_vm_vm_name: aws_win + create_vm_vm_name: aws_dc vm_blueprint: windows_full success_nodes: - Update Inventory failure_nodes: - Ticket - Instance Failed + - identifier: Deploy Windows Core Blueprint + unified_job_template: Cloud / AWS / Create VM + extra_data: + create_vm_vm_name: aws_win1 + vm_blueprint: windows_core + success_nodes: + - Update Inventory + failure_nodes: + - Ticket - Instance Failed - identifier: Deploy RHEL8 Blueprint unified_job_template: Cloud / AWS / Create VM extra_data: @@ -554,6 +312,15 @@ controller_workflows: - Update Inventory failure_nodes: - Ticket - Instance Failed + - identifier: Deploy Report Server + unified_job_template: Cloud / AWS / Create VM + extra_data: + create_vm_vm_name: reports + vm_blueprint: rhel9 + success_nodes: + - Update Inventory + failure_nodes: + - Ticket - Instance Failed - identifier: Ticket - VPC Failed unified_job_template: 'SUBMIT FEEDBACK' extra_data: diff --git a/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 b/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 index c4671f2..00e87c3 100644 --- a/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 +++ b/collections/ansible_collections/demo/cloud/roles/aws/templates/aws_windows_userdata.j2 @@ -26,4 +26,4 @@ New-LocalUser -Name "ec2-user" -Description "Ansible Service Account" -Password Add-LocalGroupMember -Group "Administrators" -Member "ec2-user" Rename-Computer -NewName {{ aws_vm_name }} -Force -Restart - \ No newline at end of file + diff --git a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/callback_plugins/stig_xml.py b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/callback_plugins/stig_xml.py index 4565273..bedc176 100644 --- a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/callback_plugins/stig_xml.py +++ b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/callback_plugins/stig_xml.py @@ -1,4 +1,5 @@ -from __future__ import (absolute_import, division, print_function) +from __future__ import absolute_import, division, print_function + __metaclass__ = type from ansible.plugins.callback import CallbackBase @@ -14,61 +15,65 @@ import xml.dom.minidom role = "iosxeSTIG" + class CallbackModule(CallbackBase): CALLBACK_VERSION = 2.0 - CALLBACK_TYPE = 'xml' - CALLBACK_NAME = 'stig_xml' + CALLBACK_TYPE = "xml" + CALLBACK_NAME = "stig_xml" CALLBACK_NEEDS_WHITELIST = True def __init__(self): super(CallbackModule, self).__init__() self.rules = {} - self.stig_path = os.environ.get('STIG_PATH') - self.XML_path = os.environ.get('XML_PATH') + self.stig_path = os.environ.get("STIG_PATH") + self.XML_path = os.environ.get("XML_PATH") if self.stig_path is None: self.stig_path = os.path.join(os.getcwd(), "roles", role, "files") - self._display.display('Using STIG_PATH: {}'.format(self.stig_path)) + self._display.display("Using STIG_PATH: {}".format(self.stig_path)) if self.XML_path is None: self.XML_path = os.getcwd() - self._display.display('Using XML_PATH: {}'.format(self.XML_path)) + self._display.display("Using XML_PATH: {}".format(self.XML_path)) print("Writing: {}".format(self.XML_path)) STIG_name = os.path.basename(self.stig_path) - ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2') - self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult') - self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name)) + ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2") + self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult") + self.tr.set( + "id", + "xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name), + ) endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime()) - self.tr.set('end-time', endtime) - tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target') + self.tr.set("end-time", endtime) + tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target") tg.text = platform.node() def __get_rev(self, nid): - rev = '0' + rev = "0" # Check all files for the rule number. for file in os.listdir(self.stig_path): - with open(os.path.join(self.stig_path, file), 'r') as f: - r = 'SV-{}r(?P\d)_rule'.format(nid) + with open(os.path.join(self.stig_path, file), "r") as f: + r = "SV-{}r(?P\d)_rule".format(nid) m = re.search(r, f.read()) if m: - rev = m.group('rev') + rev = m.group("rev") break return rev def v2_runner_on_ok(self, result): name = result._task.get_name() - m = re.search('stigrule_(?P\d+)', name) + m = re.search("stigrule_(?P\d+)", name) if m: - nid = m.group('id') + nid = m.group("id") else: return rev = self.__get_rev(nid) key = "{}r{}".format(nid, rev) - if self.rules.get(key, 'Unknown') != False: + if self.rules.get(key, "Unknown") != False: self.rules[key] = result.is_changed() def __set_duplicates(self): - with open(os.path.join(self.stig_path, 'duplicates.json')) as f: + with open(os.path.join(self.stig_path, "duplicates.json")) as f: dups = json.load(f) for d in dups: dup_of = str(dups[d][0]) @@ -82,17 +87,19 @@ class CallbackModule(CallbackBase): def v2_playbook_on_stats(self, stats): self.__set_duplicates() for rule, changed in self.rules.items(): - state = 'fail' if changed else 'pass' - rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result') - rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule)) - rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result') + state = "fail" if changed else "pass" + rr = ET.SubElement( + self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result" + ) + rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule)) + rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result") rs.text = state passing = len(self.rules) - sum(self.rules.values()) - sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score') - sc.set('maximum', str(len(self.rules))) - sc.set('system', 'urn:xccdf:scoring:flat-unweighted') + sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score") + sc.set("maximum", str(len(self.rules))) + sc.set("system", "urn:xccdf:scoring:flat-unweighted") sc.text = str(passing) - with open(os.path.join(self.XML_path, "xccdf-results.xml"), 'w') as f: + with open(os.path.join(self.XML_path, "xccdf-results.xml"), "w") as f: out = ET.tostring(self.tr) - pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8') + pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8") f.write(pretty) diff --git a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml index c746ea4..dd62f50 100644 --- a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml +++ b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/defaults/main.yml @@ -26,7 +26,7 @@ iosxeSTIG_stigrule_215814_login_Text: 'You are accessing a U.S. Government (USG) By using this IS (which includes any device attached to this IS), you consent to the following conditions: --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. @@ -36,7 +36,7 @@ counterintelligence (CI) investigations. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. --Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, +-Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' # R-215815 CISC-ND-000210 diff --git a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml index 128c7c7..6696a6c 100644 --- a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_NDM_STIG_V2R1_Manual-xccdf.xml @@ -69,20 +69,20 @@ archive Note: Configuration changes can be viewed using the show archive log config all command. -If account removal is not automatically audited, this is a finding.SRG-APP-000038-NDM-000213<GroupDescription></GroupDescription>CISC-ND-000140The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.<VulnDiscussion>A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. +If account removal is not automatically audited, this is a finding.SRG-APP-000038-NDM-000213<GroupDescription></GroupDescription>CISC-ND-000140The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.<VulnDiscussion>A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. Application-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Applications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96205SV-105343CCI-001368Configure the Cisco router to restrict management access to specific IP addresses via SSH as shown in the example below. -SW2(config)#ip access-list standard MANAGEMENT_NET -SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255 -SW2(config-std-nacl)#exit -SW2(config)#line vty 0 4 -SW2(config-line)#transport input ssh -SW2(config-line)#access-class MANAGEMENT_NET in +SW2(config)#ip access-list standard MANAGEMENT_NET +SW2(config-std-nacl)#permit x.x.x.0 0.0.0.255 +SW2(config-std-nacl)#exit +SW2(config)#line vty 0 4 +SW2(config-line)#transport input ssh +SW2(config-line)#access-class MANAGEMENT_NET in SW2(config-line)#end -Review the Cisco router configuration to verify that it is compliant with this requirement. +Review the Cisco router configuration to verify that it is compliant with this requirement. Step 1: Verify that the line vty has an ACL inbound applied as shown in the example below. @@ -92,7 +92,7 @@ line vty 0 4 Step 2: Verify that the ACL permits only hosts from the management network to access the router. -ip access-list extended MANAGEMENT_NET +ip access-list extended MANAGEMENT_NET permit ip x.x.x.0 0.0.0.255 any deny ip any any log-input @@ -166,7 +166,7 @@ archive Note: The logging userinfo global configuration command will generate a log when a user increases his or her privilege level. -If logging of administrator activity is not configured, this is a finding.SRG-APP-000091-NDM-000223<GroupDescription></GroupDescription>CISC-ND-000250The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to log on with access privileges occur.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If logging of administrator activity is not configured, this is a finding.SRG-APP-000091-NDM-000223<GroupDescription></GroupDescription>CISC-ND-000250The Cisco router must be configured to generate audit records when successful/unsuccessful attempts to log on with access privileges occur.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96221SV-105359CCI-000172Configure the Cisco router to log all logon attempts as shown in the example below. @@ -193,7 +193,7 @@ R1(config-ext-nacl)#deny icmp any any log-inputSRG-APP-000101-NDM-000231<GroupDescription></GroupDescription>CISC-ND-000330The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the router is not configured with the log-input parameter after any deny statements to note where packets have been dropped via an ACL, this is a finding.SRG-APP-000101-NDM-000231<GroupDescription></GroupDescription>CISC-ND-000330The Cisco router must be configured to generate audit records containing the full-text recording of privileged commands.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. The additional information required is dependent on the type of information (i.e., sensitivity of the data and the environment within which it resides). At a minimum, the organization must audit full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96227SV-105365CCI-000135Configure the Cisco router to log all configuration changes as shown in the example below. @@ -210,11 +210,11 @@ Note: Configuration changes can be viewed using the show archive log config all If the Cisco router is not configured to generate audit records of configuration changes, this is a finding.SRG-APP-000119-NDM-000236<GroupDescription></GroupDescription>CISC-ND-000380The Cisco router must be configured to protect audit information from unauthorized modification.<VulnDiscussion>Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit network device activity. -If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. +If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. -To ensure the veracity of audit data, the network device must protect audit information from unauthorized modification. +To ensure the veracity of audit data, the network device must protect audit information from unauthorized modification. -This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations. +This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions and limiting log data locations. Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights that the user enjoys in order to make access decisions regarding the modification of audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96231SV-105369CCI-000163If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. @@ -226,15 +226,15 @@ logging persistent url disk0:/logfile size 134217728 filesize 16384 Step 2: Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below. -file privilege 10 +file privilege 10 Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration. If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.SRG-APP-000120-NDM-000237<GroupDescription></GroupDescription>CISC-ND-000390The Cisco router must be configured to protect audit information from unauthorized deletion.<VulnDiscussion>Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. -If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. +If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. -To ensure the veracity of audit data, the network device must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. +To ensure the veracity of audit data, the network device must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include: ensuring log files receive the proper file system permissions utilizing file system protections, restricting access, and backing up log data to ensure log data is retained. Network devices providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order to make access decisions regarding the deletion of audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96233SV-105371CCI-000164If persistent logging is enabled, configure the router to only allow administrators with privilege level "15" access to the file system as shown in the example below. @@ -246,7 +246,7 @@ logging persistent url disk0:/logfile size 134217728 filesize 16384 Step 2: Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below. -file privilege 10 +file privilege 10 Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration. @@ -254,11 +254,11 @@ If the router is configured with a privilege level other than "15" to allow acce R4(config)#file privilege 15Verify that the router is not configured with a privilege level other than "15" to allow access to the file system as shown in the example below. -file privilege 10 +file privilege 10 Note: The default privilege level required for access to the file system is "15"; hence, the command file privilege "15" will not be shown in the configuration. -If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.SRG-APP-000142-NDM-000245<GroupDescription></GroupDescription>CISC-ND-000470The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.<VulnDiscussion>Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. +If the router is configured with a privilege level other than "15" to allow access to the file system, this is a finding.SRG-APP-000142-NDM-000245<GroupDescription></GroupDescription>CISC-ND-000470The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.<VulnDiscussion>Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved. Some network devices have capabilities enabled by default; if these capabilities are not necessary, they must be disabled. If a particular capability is used, then it must be documented and approved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96239SV-105377CCI-000382Disable the following services if enabled as shown in the example below. @@ -312,7 +312,7 @@ aaa authentication login default group tacacs+ local If the Cisco router is not configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable, this is a finding.SRG-APP-000156-NDM-000250<GroupDescription></GroupDescription>CISC-ND-000530The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. -An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. +An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96249SV-105387CCI-001941Configure SSH to use FIPS-140-2 compliant HMACs as shown in the example below. @@ -324,7 +324,7 @@ Note: An SSH configuration enables a server and client to authorize the negotiat ip ssh version 2 ip ssh server algorithm encryption aes128-cbc aes192-cbc aes192-ctr -Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established. +Note: An SSH configuration enables a server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using an algorithm that is not part of the allowed list, the request is rejected and the session is not established. If the router is not configured to implement replay-resistant authentication mechanisms for network access to privileged accounts, this is a finding.SRG-APP-000164-NDM-000252<GroupDescription></GroupDescription>CISC-ND-000550The Cisco router must be configured to enforce a minimum 15-character password length.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. @@ -428,12 +428,12 @@ Performance and time required to access are factors that must be considered, and In many instances, verifying the user knows a password is performed using a password verifier. In its simplest form, a password verifier is a computational function that is capable of creating a hash of a password and determining if the value provided by the user matches the stored hash.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020SV-105403V-96265CCI-000196Configure the router to encrypt all passwords. -R4(config)#service password-encryption +R4(config)#service password-encryption R4(config)#endReview the router configuration to determine if passwords are encrypted as shown in the example below. service password-encryption -If the router is not configured to encrypt passwords, this is a finding.SRG-APP-000190-NDM-000267<GroupDescription></GroupDescription>CISC-ND-000720The Cisco router must be configured to terminate all network connections associated with device management after 10 minutes of inactivity.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. +If the router is not configured to encrypt passwords, this is a finding.SRG-APP-000190-NDM-000267<GroupDescription></GroupDescription>CISC-ND-000720The Cisco router must be configured to terminate all network connections associated with device management after 10 minutes of inactivity.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020SV-105409V-96271CCI-001133Set the idle timeout value to "10" minutes or less on all configured login classes as shown in the example below. @@ -490,7 +490,7 @@ archive Note: The logging userinfo global configuration command will generate a log when a user increases his or her privilege level. -If the Cisco router is not configured to log all commands entered from the command line interface as well as log all configuration changes, this is a finding.SRG-APP-000357-NDM-000293<GroupDescription></GroupDescription>CISC-ND-000980The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.<VulnDiscussion>In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. +If the Cisco router is not configured to log all commands entered from the command line interface as well as log all configuration changes, this is a finding.SRG-APP-000357-NDM-000293<GroupDescription></GroupDescription>CISC-ND-000980The Cisco router must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.<VulnDiscussion>In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. The value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96297SV-105435CCI-001849Configure the buffer size for logging as shown in the example below. @@ -500,7 +500,7 @@ logging buffered xxxxxxxx informational If a logging buffer size is not configured, this is a finding. -If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.SRG-APP-000360-NDM-000295<GroupDescription></GroupDescription>CISC-ND-001000The Cisco router must be configured to generate an alert for all audit failure events.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. +If the Cisco router is not configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.SRG-APP-000360-NDM-000295<GroupDescription></GroupDescription>CISC-ND-001000The Cisco router must be configured to generate an alert for all audit failure events.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96301SV-105439CCI-001858Configure the Cisco router to send critical to emergency log messages to the syslog server as shown in the example below. @@ -514,7 +514,7 @@ logging x.x.x.x Note: The parameter "critical" can replaced with a lesser severity level (i.e. error, warning, notice, informational). Informational is the default severity level; hence, if the severity level is configured to informational, the logging trap command will not be shown in the configuration. -If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.SRG-APP-000373-NDM-000298<GroupDescription></GroupDescription>CISC-ND-001030The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.<VulnDiscussion>The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. +If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.SRG-APP-000373-NDM-000298<GroupDescription></GroupDescription>CISC-ND-001030The Cisco router must be configured to synchronize its clock with the primary and secondary time sources using redundant authoritative time sources.<VulnDiscussion>The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. @@ -530,7 +530,7 @@ If the Cisco router is not configured to synchronize its clock with redundant au R2(config)#service timestamps log datetime localtimeReview the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. -service timestamps log datetime +service timestamps log datetime If the router is not configured to record time stamps that meet a granularity of one second, this is a finding.SRG-APP-000374-NDM-000299<GroupDescription></GroupDescription>CISC-ND-001050The Cisco router must be configured to record time stamps for log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. @@ -562,7 +562,7 @@ R4(config)#snmp-server view V3READ iso included R4(config)#snmp-server view V3WRITE iso included R4(config)#snmp-server host x.x.x.x version 3 auth V3USERReview the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. -snmp-server group V3GROUP v3 auth read V3READ write V3WRITE +snmp-server group V3GROUP v3 auth read V3READ write V3WRITE snmp-server view V3READ iso included snmp-server view V3WRITE iso included snmp-server host x.x.x.x version 3 auth V3USER @@ -615,7 +615,7 @@ ntp server y.y.y.y key 1 If the Cisco router is not configured to authenticate NTP sources using authentication that is cryptographically based, this is a finding.SRG-APP-000411-NDM-000330<GroupDescription></GroupDescription>CISC-ND-001200The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. -Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. +Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96327SV-105465CCI-002890The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured. @@ -638,7 +638,7 @@ ip ssh server algorithm mac hmac-sha1-96 HTTPS Example ip http secure-server -ip http secure-ciphersuite aes-128-cbc-sha +ip http secure-ciphersuite aes-128-cbc-sha ip http secure-client-auth ip http secure-trustpoint CA_XXX @@ -661,7 +661,7 @@ ip ssh server algorithm encryption aes128-cbc aes128-ctr aes192-cbc aes192-ctr HTTPS Example ip http secure-server -ip http secure-ciphersuite aes-128-cbc-sha +ip http secure-ciphersuite aes-128-cbc-sha ip http secure-client-auth ip http secure-trustpoint CA_XXX @@ -752,85 +752,85 @@ Step 4: Apply the policy map to the control plane. R1(config)#control-plane R1(config-cp)#service-policy input CONTROL_PLANE_POLICY -R1(config-cp)#endReview the Cisco router configuration to verify that it is compliant with this requirement. +R1(config-cp)#endReview the Cisco router configuration to verify that it is compliant with this requirement. Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration: -class-map match-all CoPP_CRITICAL -match access-group name CoPP_CRITICAL -class-map match-any CoPP_IMPORTANT -match access-group name CoPP_IMPORTANT -match protocol arp -class-map match-all CoPP_NORMAL -match access-group name CoPP_NORMAL -class-map match-any CoPP_UNDESIRABLE -match access-group name CoPP_UNDESIRABLE -class-map match-all CoPP_DEFAULT -match access-group name CoPP_DEFAULT +class-map match-all CoPP_CRITICAL +match access-group name CoPP_CRITICAL +class-map match-any CoPP_IMPORTANT +match access-group name CoPP_IMPORTANT +match protocol arp +class-map match-all CoPP_NORMAL +match access-group name CoPP_NORMAL +class-map match-any CoPP_UNDESIRABLE +match access-group name CoPP_UNDESIRABLE +class-map match-all CoPP_DEFAULT +match access-group name CoPP_DEFAULT Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration: -ip access-list extended CoPP_CRITICAL -remark our control plane adjacencies are critical -permit ospf host [OSPF neighbor A] any -permit ospf host [OSPF neighbor B] any -permit pim host [PIM neighbor A] any -permit pim host [PIM neighbor B] any -permit pim host [RP addr] any -permit igmp any 224.0.0.0 15.255.255.255 -permit tcp host [BGP neighbor] eq bgp host [local BGP addr] -permit tcp host [BGP neighbor] host [local BGP addr] eq bgp -deny ip any any +ip access-list extended CoPP_CRITICAL +remark our control plane adjacencies are critical +permit ospf host [OSPF neighbor A] any +permit ospf host [OSPF neighbor B] any +permit pim host [PIM neighbor A] any +permit pim host [PIM neighbor B] any +permit pim host [RP addr] any +permit igmp any 224.0.0.0 15.255.255.255 +permit tcp host [BGP neighbor] eq bgp host [local BGP addr] +permit tcp host [BGP neighbor] host [local BGP addr] eq bgp +deny ip any any -ip access-list extended CoPP_IMPORTANT -permit tcp host [TACACS server] eq tacacs any -permit tcp [management subnet] 0.0.0.255 any eq 22 -permit udp host [SNMP manager] any eq snmp -permit udp host [NTP server] eq ntp any -deny ip any any +ip access-list extended CoPP_IMPORTANT +permit tcp host [TACACS server] eq tacacs any +permit tcp [management subnet] 0.0.0.255 any eq 22 +permit udp host [SNMP manager] any eq snmp +permit udp host [NTP server] eq ntp any +deny ip any any -ip access-list extended CoPP_NORMAL -remark we will want to rate limit ICMP traffic -permit icmp any any echo -permit icmp any any echo-reply -permit icmp any any time-exceeded -permit icmp any any unreachable -deny ip any any +ip access-list extended CoPP_NORMAL +remark we will want to rate limit ICMP traffic +permit icmp any any echo +permit icmp any any echo-reply +permit icmp any any time-exceeded +permit icmp any any unreachable +deny ip any any -ip access-list extended CoPP_UNDESIRABLE -remark other management plane traffic that should not be received -permit udp any any eq ntp +ip access-list extended CoPP_UNDESIRABLE +remark other management plane traffic that should not be received +permit udp any any eq ntp permit udp any any eq snmp -permit tcp any any eq 22 -permit tcp any any eq 23 -remark other control plane traffic not configured on router -permit eigrp any any -permit udp any any eq rip -deny ip any any +permit tcp any any eq 22 +permit tcp any any eq 23 +remark other control plane traffic not configured on router +permit eigrp any any +permit udp any any eq rip +deny ip any any -ip access-list extended CoPP_DEFAULT -permit ip any any +ip access-list extended CoPP_DEFAULT +permit ip any any -Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command. +Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command. Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration: -policy-map CONTROL_PLANE_POLICY -class CoPP_CRITICAL -police 512000 8000 conform-action transmit exceed-action transmit -class CoPP_IMPORTANT -police 256000 4000 conform-action transmit exceed-action drop -class CoPP_NORMAL -police 128000 2000 conform-action transmit exceed-action drop -class CoPP_UNDESIRABLE -police 8000 1000 conform-action drop exceed-action drop +policy-map CONTROL_PLANE_POLICY +class CoPP_CRITICAL +police 512000 8000 conform-action transmit exceed-action transmit +class CoPP_IMPORTANT +police 256000 4000 conform-action transmit exceed-action drop +class CoPP_NORMAL +police 128000 2000 conform-action transmit exceed-action drop +class CoPP_UNDESIRABLE +police 8000 1000 conform-action drop exceed-action drop class CoPP_DEFAULT -police 64000 1000 conform-action transmit exceed-action drop +police 64000 1000 conform-action transmit exceed-action drop Step 4: Verify that the CoPP policy is enabled. The following is an example configuration: -control-plane -service-policy input CONTROL_PLANE_POLICY +control-plane +service-policy input CONTROL_PLANE_POLICY Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category. @@ -838,7 +838,7 @@ If the Cisco router is not configured to protect against known types of DoS atta Audit records can be generated from various components within the network device (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020SV-105471V-96333CCI-000172Configure the Cisco router to generate log records when account privileges are modified as shown in the example below. -R4(config)#logging userinfo +R4(config)#logging userinfo R4(config)#archive R4(config-archive)#log config R4(config-archive-log-cfg)#logging enable @@ -928,7 +928,7 @@ R4(config-line)#login authentication LOGIN_AUTHENTICATION R4(config-line)#exit R4(config)#line con 0 R4(config-line)#login authentication LOGIN_AUTHENTICATION -R4(config-line)#exit +R4(config-line)#exit R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATIONReview the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example: aaa new-model @@ -999,7 +999,7 @@ logging x.x.x.x Note: Default for sending log messages to the syslog server is informational (level 6); hence, the command logging trap informational will not be seen in the configuration. Level of log messages sent to the syslog server can be verified using the show logging command. -If the router is not configured to send log data to the syslog server, this is a finding.SRG-APP-000516-NDM-000351<GroupDescription></GroupDescription>CISC-ND-001470The Cisco router must be running an IOS release that is currently supported by Cisco Systems.<VulnDiscussion>Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Running a supported release also enables operations to maintain a stable and reliable network provided by improved quality of service and security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96369SV-105507CCI-000366Upgrade the router to a supported release.Verify that the router is in compliance with this requirement by having the router administrator enter the following command: +If the router is not configured to send log data to the syslog server, this is a finding.SRG-APP-000516-NDM-000351<GroupDescription></GroupDescription>CISC-ND-001470The Cisco router must be running an IOS release that is currently supported by Cisco Systems.<VulnDiscussion>Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilities. Running a supported release also enables operations to maintain a stable and reliable network provided by improved quality of service and security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router NDMDISADPMS TargetCisco IOS XE Router NDM4020V-96369SV-105507CCI-000366Upgrade the router to a supported release.Verify that the router is in compliance with this requirement by having the router administrator enter the following command: show version @@ -1007,4 +1007,4 @@ Verify that the release is still supported by Cisco. All releases supported by C www.cisco.com/c/en/us/support/ios-nx-os-software -If the router is not running a supported release, this is a finding. \ No newline at end of file +If the router is not running a supported release, this is a finding. diff --git a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml index 4e9f338..7abbcbf 100644 --- a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/files/U_Cisco_IOS-XE_Router_RTR_STIG_V2R1_Manual-xccdf.xml @@ -71,7 +71,7 @@ router bgp nn neighbor x.x.x.x remote-as nn neighbor x.x.x.x password xxxxxxx -Note: BGP authentication uses MD5 +Note: BGP authentication uses MD5 EIGRP Example: @@ -155,7 +155,7 @@ interface GigabitEthernet3 ! interface GigabitEthernet4 shutdown - + If an interface is not being used but is configured or enabled, this is a finding.SRG-NET-000131-RTR-000035<GroupDescription></GroupDescription>CISC-RT-000070The Cisco router must be configured to have all non-essential capabilities disabled.<VulnDiscussion>A compromised router introduces risk to the entire network infrastructure, as well as data resources that are accessible via the network. The perimeter defense has no oversight or control of attacks by malicious users within the network. Preventing network breaches from within is dependent on implementing a comprehensive defense-in-depth strategy, including securing each device connected to the network. This is accomplished by following and implementing all security guidance applicable for each node type. A fundamental step in securing each router is to enable only the capabilities required for operation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106005V-96867CCI-000381Disable the following services if enabled as shown in the example below: R2(config)#no boot network @@ -199,7 +199,7 @@ R2(config)#no cns config initial R2(config)#no cns exec R2(config)#no cns image R2(config)#no cns trusted-server config x.x.x.x -R2(config)#no cns trusted-server image x.x.x.xReview the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled. +R2(config)#no cns trusted-server image x.x.x.xReview the device configuration to determine if auto-configuration or zero-touch deployment via Cisco Networking Services (CNS) is enabled. Auto-configuration example: @@ -220,7 +220,7 @@ cns config initial x.x.x.x 80 cns exec 80 cns image -If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding. +If a configuration auto-loading feature or zero-touch deployment feature is enabled, this is a finding. Note: Auto-configuration or zero-touch deployment features can be enabled when the router is offline for the purpose of image loading or building out the configuration. In addition, this would not be applicable to the provisioning of virtual routers via a software-defined network (SDN) orchestration system.SRG-NET-000362-RTR-000110<GroupDescription></GroupDescription>CISC-RT-000120The Cisco router must be configured to protect against or limit the effects of denial of service (DoS) attacks by employing control plane protection.<VulnDiscussion>The Route Processor (RP) is critical to all network operations because it is the component used to build all forwarding paths for the data plane via control plane processes. It is also instrumental with ongoing network management functions that keep the routers and links available for providing network services. Any disruption to the RP or the control and management planes can result in mission-critical network outages. @@ -307,92 +307,92 @@ Step 4: Apply the policy map to the control plane. R1(config)#control-plane R1(config-cp)#service-policy input CONTROL_PLANE_POLICY -R1(config-cp)#endReview the Cisco router configuration to verify that it is compliant with this requirement. +R1(config-cp)#endReview the Cisco router configuration to verify that it is compliant with this requirement. -Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration: +Step 1: Verify traffic types have been classified based on importance levels. The following is an example configuration: -class-map match-all CoPP_CRITICAL -match access-group name CoPP_CRITICAL -class-map match-any CoPP_IMPORTANT -match access-group name CoPP_IMPORTANT -match protocol arp -class-map match-all CoPP_NORMAL -match access-group name CoPP_NORMAL -class-map match-any CoPP_UNDESIRABLE -match access-group name CoPP_UNDESIRABLE -class-map match-all CoPP_DEFAULT -match access-group name CoPP_DEFAULT +class-map match-all CoPP_CRITICAL +match access-group name CoPP_CRITICAL +class-map match-any CoPP_IMPORTANT +match access-group name CoPP_IMPORTANT +match protocol arp +class-map match-all CoPP_NORMAL +match access-group name CoPP_NORMAL +class-map match-any CoPP_UNDESIRABLE +match access-group name CoPP_UNDESIRABLE +class-map match-all CoPP_DEFAULT +match access-group name CoPP_DEFAULT -Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration: +Step 2: Review the ACLs referenced by the class maps to determine if the traffic is being classified appropriately. The following is an example configuration: -ip access-list extended CoPP_CRITICAL -remark our control plane adjacencies are critical -permit ospf host [OSPF neighbor A] any -permit ospf host [OSPF neighbor B] any -permit pim host [PIM neighbor A] any -permit pim host [PIM neighbor B] any -permit pim host [RP addr] any -permit igmp any 224.0.0.0 15.255.255.255 -permit tcp host [BGP neighbor] eq bgp host [local BGP addr] -permit tcp host [BGP neighbor] host [local BGP addr] eq bgp -deny ip any any +ip access-list extended CoPP_CRITICAL +remark our control plane adjacencies are critical +permit ospf host [OSPF neighbor A] any +permit ospf host [OSPF neighbor B] any +permit pim host [PIM neighbor A] any +permit pim host [PIM neighbor B] any +permit pim host [RP addr] any +permit igmp any 224.0.0.0 15.255.255.255 +permit tcp host [BGP neighbor] eq bgp host [local BGP addr] +permit tcp host [BGP neighbor] host [local BGP addr] eq bgp +deny ip any any -ip access-list extended CoPP_IMPORTANT -permit tcp host [TACACS server] eq tacacs any -permit tcp [management subnet] 0.0.0.255 any eq 22 -permit udp host [SNMP manager] any eq snmp -permit udp host [NTP server] eq ntp any -deny ip any any +ip access-list extended CoPP_IMPORTANT +permit tcp host [TACACS server] eq tacacs any +permit tcp [management subnet] 0.0.0.255 any eq 22 +permit udp host [SNMP manager] any eq snmp +permit udp host [NTP server] eq ntp any +deny ip any any -ip access-list extended CoPP_NORMAL -remark we will want to rate limit ICMP traffic -permit icmp any any echo -permit icmp any any echo-reply -permit icmp any any time-exceeded -permit icmp any any unreachable -deny ip any any +ip access-list extended CoPP_NORMAL +remark we will want to rate limit ICMP traffic +permit icmp any any echo +permit icmp any any echo-reply +permit icmp any any time-exceeded +permit icmp any any unreachable +deny ip any any -ip access-list extended CoPP_UNDESIRABLE -remark other management plane traffic that should not be received -permit udp any any eq ntp +ip access-list extended CoPP_UNDESIRABLE +remark other management plane traffic that should not be received +permit udp any any eq ntp permit udp any any eq snmp -permit tcp any any eq 22 -permit tcp any any eq 23 -remark other control plane traffic not configured on router -permit eigrp any any -permit udp any any eq rip -deny ip any any +permit tcp any any eq 22 +permit tcp any any eq 23 +remark other control plane traffic not configured on router +permit eigrp any any +permit udp any any eq rip +deny ip any any -ip access-list extended CoPP_DEFAULT -permit ip any any +ip access-list extended CoPP_DEFAULT +permit ip any any -Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command. +Note: Explicitly defining undesirable traffic with ACL entries enables the network operator to collect statistics. Excessive ARP packets can potentially monopolize Route Processor resources, starving other important processes. Currently, ARP is the only Layer 2 protocol that can be specifically classified using the match protocol command. -Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration: +Step 3: Review the policy-map to determine if the traffic is being policed appropriately for each classification. The following is an example configuration: -policy-map CONTROL_PLANE_POLICY -class CoPP_CRITICAL -police 512000 8000 conform-action transmit exceed-action transmit -class CoPP_IMPORTANT -police 256000 4000 conform-action transmit exceed-action drop -class CoPP_NORMAL -police 128000 2000 conform-action transmit exceed-action drop -class CoPP_UNDESIRABLE -police 8000 1000 conform-action drop exceed-action drop +policy-map CONTROL_PLANE_POLICY +class CoPP_CRITICAL +police 512000 8000 conform-action transmit exceed-action transmit +class CoPP_IMPORTANT +police 256000 4000 conform-action transmit exceed-action drop +class CoPP_NORMAL +police 128000 2000 conform-action transmit exceed-action drop +class CoPP_UNDESIRABLE +police 8000 1000 conform-action drop exceed-action drop class CoPP_DEFAULT -police 64000 1000 conform-action transmit exceed-action drop +police 64000 1000 conform-action transmit exceed-action drop -Step 4: Verify that the CoPP policy is enabled. The following is an example configuration: +Step 4: Verify that the CoPP policy is enabled. The following is an example configuration: -control-plane -service-policy input CONTROL_PLANE_POLICY +control-plane +service-policy input CONTROL_PLANE_POLICY Note: Control Plane Protection (CPPr) can be used to filter as well as police control plane traffic destined to the RP. CPPr is very similar to CoPP and has the ability to filter and police traffic using finer granularity by dividing the aggregate control plane into three separate categories: (1) host, (2) transit, and (3) CEF-exception. Hence, a separate policy-map could be configured for each traffic category. If the Cisco router is not configured to protect against known types of DoS attacks by employing organization-defined security safeguards, this is a finding.SRG-NET-000205-RTR-000001<GroupDescription></GroupDescription>CISC-RT-000130The Cisco router must be configured to restrict traffic destined to itself.<VulnDiscussion>The route processor handles traffic destined to the router—the key component used to build forwarding paths and is instrumental with all network management functions. Hence, any disruption or denial of service (DoS) attack to the route processor can result in mission critical network outages.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96875SV-106013CCI-001097Step 1: Configure the ACL for any external interfaces as shown in the example. R1(config)#ip access-list extended EXTERNAL_ACL -R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 +R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply @@ -459,14 +459,14 @@ ip access-list extended INTERNAL_ACL Note: For the internal ACL example, all routers within the hypothetical network (10.1.0.0/16) have been configured to use the loopback address to source all management traffic (not shown); hence, the loopbacks are the only allowable destination address for management traffic. In addition, all management traffic destined to the router must originate from the management network (10.2.1.0/24). With the exception of link-local control plane traffic and ICMP, all other traffic destined to any physical interface address will be dropped. Step 2: Verify that the ACL has been applied to the appropriate interface as shown in the example below: - + interface GigabitEthernet0/2 ip address x.11.1.2 255.255.255.254 ip access-group EXTERNAL_ACL in interface GigabitEthernet0/3 ip address 10.1.12.2 255.255.255.0 ip access-group INTERNAL_ACL in - + If the router is not configured to restrict traffic destined to itself, this is a finding.SRG-NET-000205-RTR-000002<GroupDescription></GroupDescription>CISC-RT-000140The Cisco router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.<VulnDiscussion>Fragmented ICMP packets can be generated by hackers for DoS attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96877SV-106015CCI-001097Configure the external and internal ACLs to drop all fragmented ICMP packets destined to itself as shown in the example below: R1(config)#ip access-list extended EXTERNAL_ACL @@ -531,9 +531,9 @@ R4(config)#ip icmp rate-limit unreachable df 100 R4(config)#ip icmp rate-limit unreachable 100000 R4(config)#end -Alternative – Non DODIN Backbone. +Alternative – Non DODIN Backbone. -An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps: +An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps: Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below: @@ -543,7 +543,7 @@ R2(config-ext-nacl)#permit icmp any any administratively-prohibited R2(config-ext-nacl)#exit Step 2: Create a route map to forward these ICMP messages to the Null0 interface. - + R2(config)#route-map LOCAL_POLICY R2(config-route-map)#match ip address ICMP_T3C1C13 R2(config-route-map)#set interface Null0 @@ -578,7 +578,7 @@ Note: In the example above, packet-too-big message (ICMP Type 3 Code 4) can be s IF the PE router is not configured to rate limit ICMP unreachable messages, this is a finding.SRG-NET-000362-RTR-000114<GroupDescription></GroupDescription>CISC-RT-000180The Cisco router must be configured to have Internet Control Message Protocol (ICMP) mask reply messages disabled on all external interfaces.<VulnDiscussion>The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96885SV-106023CCI-002385Disable ip mask-reply on all external interfaces as shown below: R4(config)#int g0/1 -R4(config-if)#no ip mask-replyReview the router configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below: +R4(config-if)#no ip mask-replyReview the router configuration and verify that ip mask-reply command is not enabled on any external interfaces as shown in the example below: interface GigabitEthernet0/1 ip address x.x.x.x 255.255.255.0 @@ -618,7 +618,7 @@ If packets being dropped at interfaces are not logged, this is a finding.DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106029V-96891CCI-000132Configure the router to log events containing information to establish where the events occurred as shown in the example below: - + R5(config)#ip access-list extended INGRESS_FILTER … … @@ -644,7 +644,7 @@ If the router is not configured to produce audit records containing information In order to compile an accurate risk assessment and provide forensic analysis, security personnel need to know the source of the event. In addition to logging where events occur within the network, the audit records must also identify sources of events such as IP addresses, processes, and node or device names.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106031V-96893CCI-000133Configure the router to log events containing information to establish where the events occurred as shown in the example below: - + R5(config)#ip access-list extended INGRESS_FILTER … … @@ -670,7 +670,7 @@ If the router is not configured to produce audit records containing information Secured modem devices must be able to authenticate users and must negotiate a key exchange before full encryption takes place. The modem will provide full encryption capability (Triple DES) or stronger. The technician who manages these devices will be authenticated using a key fob and granted access to the appropriate maintenance port; thus, the technician will gain access to the managed device (router, switch, etc.). The token provides a method of strong (two-factor) user authentication. The token works in conjunction with a server to generate one-time user passwords that will change values at second intervals. The user must know a personal identification number (PIN) and possess the token to be allowed access to the device.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96895SV-106033CCI-001414Disable the auxiliary port. R2(config)#line aux 0 -R2(config-line)#no exec +R2(config-line)#no exec R2(config-line)#transport input noneReview the configuration and verify that the auxiliary port is disabled unless a secured modem providing encryption and authentication is connected to it. line aux 0 @@ -686,7 +686,7 @@ Step 1: Configure an inbound ACL to deny all other traffic by default as shown i R1(config)#ip access-list extended EXTERNAL_ACL R1(config-ext-nacl)#permit tcp any any established -R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 +R1(config-ext-nacl)#permit tcp host x.11.1.1 eq bgp host x.11.1.2 R1(config-ext-nacl)#permit tcp host x.11.1.1 host x.11.1.2 eq bgp R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo R1(config-ext-nacl)#permit icmp host x.11.1.1 host x.11.1.2 echo-reply @@ -762,7 +762,7 @@ Traffic can be restricted directly by an access control list (ACL), which is a f This requirement is intended to allow network administrators the flexibility to use whatever technique is most effective.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106039V-96901CCI-002403This requirement is not applicable for the DODIN Backbone. -Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations. +Configure the router to allow only incoming communications from authorized sources to be routed to authorized destinations. R1(config)#ip access-list extended FILTER_PERIMETER R1(config-ext-nacl)#nn permit udp host x.12.1.9 host x.12.1.21 eq ntp @@ -897,7 +897,7 @@ R5(config)#ip route 0.0.0.0 0.0.0.0 x.22.1.14SRG-NET-000205-RTR-000004<GroupDescription></GroupDescription>CISC-RT-000330The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.<VulnDiscussion>Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router. +If the router does not filter traffic in accordance with the guidelines contained in DoD 8551.1, this is a finding.SRG-NET-000205-RTR-000004<GroupDescription></GroupDescription>CISC-RT-000330The Cisco perimeter router must be configured to filter ingress traffic at the external interface on an inbound direction.<VulnDiscussion>Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router. Inbound versus Outbound: It should be noted that some operating systems default access lists are applied to the outbound queue. The more secure solution is to apply the access list to the inbound queue for three reasons: @@ -1031,7 +1031,7 @@ interface GigabitEthernet0/2 ip address x.11.1.2 255.255.255.254 ip access-group EXTERNAL_ACL_INBOUND in -If the router is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.SRG-NET-000205-RTR-000005<GroupDescription></GroupDescription>CISC-RT-000340The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.<VulnDiscussion>Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router. +If the router is not configured to filter traffic entering the network at all external interfaces in an inbound direction, this is a finding.SRG-NET-000205-RTR-000005<GroupDescription></GroupDescription>CISC-RT-000340The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction.<VulnDiscussion>Access lists are used to separate data traffic into that which it will route (permitted packets) and that which it will not route (denied packets). Secure configuration of routers makes use of access lists for restricting access to services on the router itself as well as for filtering traffic passing through the router. Inbound versus Outbound: It should be noted that some operating systems default access lists are applied to the outbound queue. The more secure solution is to apply the access list to the inbound queue for three reasons: @@ -1056,7 +1056,7 @@ If the router is not configured to filter traffic leaving the network at the int R5(config)#int g0/1 R5(config-if)#no lldp transmitThis requirement is not applicable for the DODIN Backbone. -Step 1: Verify LLDP is not enabled globally via the command. +Step 1: Verify LLDP is not enabled globally via the command. lldp run @@ -1093,7 +1093,7 @@ If CDP is enabled on any external interface, this is a finding.< Disable Proxy ARP on all external interfaces as shown in the example below: -R2(config)#int g0/1 +R2(config)#int g0/1 R2(config-if)#no ip proxy-arpThis requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if IP Proxy ARP is disabled on all external interfaces as shown in the example below: @@ -1103,7 +1103,7 @@ interface GigabitEthernet0/1 ip address x.1.12.2 255.255.255.252 no ip proxy-arp -Note: By default Proxy ARP is enabled on all interfaces; hence, if enabled, it will not be shown in the configuration. +Note: By default Proxy ARP is enabled on all interfaces; hence, if enabled, it will not be shown in the configuration. If IP Proxy ARP is enabled on any external interface, this is a finding.SRG-NET-000364-RTR-000113<GroupDescription></GroupDescription>CISC-RT-000390The Cisco perimeter router must be configured to block all outbound management traffic.<VulnDiscussion>For in-band management, the management network must have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes, such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic. Safeguards must be implemented to ensure that the management traffic does not leak past the perimeter of the managed network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96927SV-106065CCI-001097This requirement is not applicable for the DODIN Backbone. @@ -1170,7 +1170,7 @@ Step 3: Specify the pre-shared key and the remote peer address. R4(config)#crypto isakmp key 0 xxxxxx address x.1.12.1 Note: Digital certificates can be utilized as an alternative. - + Step 4: Create the IPSec transform set for the data encryption. R4(config)#crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes @@ -1185,7 +1185,7 @@ R4(config-crypto-map)#match address MGMT_TRAFFIC_ACL R4(config-crypto-map)#set transform-set TRANS_SET R4(config-crypto-map)#end -Step 6: Apply the crypto map to the external interface. +Step 6: Apply the crypto map to the external interface. R4(config)#int g0/2 R4(config-if)#crypto map IPSEC_MGMT_MAPThis requirement is not applicable for the DODIN Backbone. @@ -1207,7 +1207,7 @@ crypto isakmp policy 10 crypto isakmp key xxxxxx address x.1.12.1 ! ! -crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes +crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes Step 3: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel. @@ -1270,7 +1270,7 @@ ip access-list extended MGMT_TRAFFIC_ACL permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq snmp-trap permit udp 10.1.34.0 0.0.0.255 10.22.2.0 0.0.0.255 eq syslog - permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255 + permit icmp 10.1.34.0 0.0.0.255 10.22.22.0 0.0.0.255 deny ip any any log-input If an IPSec tunnel is used, verify that the only authorized management traffic is transported to the NOC. @@ -1473,7 +1473,7 @@ R4(config)#int g0/7 R4(config-if)#ip access-group INGRESS_MANAGEMENT_ACL in R4(config-if)#ip access-group EGRESS_MANAGEMENT_ACL outThis requirement is only applicable where management access to the router is via an OOBM interface which is not a true OOBM interface. -Step 1: Verify that the managed interface has an inbound and outbound ACL configured. +Step 1: Verify that the managed interface has an inbound and outbound ACL configured. interface GigabitEthernet0/7 description link to OOBM access switch @@ -1481,7 +1481,7 @@ interface GigabitEthernet0/7 ip access-group INGRESS_MANAGEMENT_ACL in ip access-group EGRESS_MANAGEMENT_ACL out -Step 2: Verify that the ingress ACL only allows management and ICMP traffic. +Step 2: Verify that the ingress ACL only allows management and ICMP traffic. ip access-list extended INGRESS_MANAGEMENT_ACL permit tcp any host 10.11.1.22 eq tacacs @@ -1521,7 +1521,7 @@ Step 3: Specify the pre-shared key and the remote peer address. R4(config)#crypto isakmp key 0 xxxxxx address 10.1.12.1 Note: Digital certificates can be utilized as an alternative. - + Step 4: Create the Phase 2 policy for the data encryption. R4(config)#crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes @@ -1536,7 +1536,7 @@ R4(config-crypto-map)#match address MGMT_TRAFFIC_ACL R4(config-crypto-map)#set transform-set TRANS_SET R4(config-crypto-map)#end -Step 6: Apply the crypto map to the external interface. +Step 6: Apply the crypto map to the external interface. R4(config)#int g0/2 R4(config-if)#crypto map IPSEC_MGMT_MAPThis requirement is not applicable for the DODIN Backbone. @@ -1558,7 +1558,7 @@ crypto isakmp policy 10 crypto isakmp key xxxxxx address x.1.12.1 ! ! -crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes +crypto ipsec transform-set TRANS_SET ah-sha256-hmac esp-aes Step 3: Review the crypto map that was bound to the external interface and note the ACL defined that identifies the interesting traffic for the IPsec tunnel. @@ -1601,7 +1601,7 @@ R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 prefix-list PREFIX_FILTER in R1(config-router)#neighbor x.2.1.7 prefix-list PREFIX_FILTER in -Route Map Alternative: +Route Map Alternative: Step 1: Configure the route map referencing the configured prefix list above. @@ -1613,7 +1613,7 @@ Step 2: Apply the route-map inbound to each external BGP neighbor as shown in th R1(config)#router bgp xx R1(config-router)#neighbor x.1.1.9 route-map FILTER_PREFIX_MAP in -R1(config-router)#neighbor x.2.1.7 route-map FILTER_PREFIX_MAP in +R1(config-router)#neighbor x.2.1.7 route-map FILTER_PREFIX_MAP in R1(config-router)#endReview the router configuration to verify that it will reject BGP routes for any Bogon prefixes. Step 1: Verify a prefix list has been configured containing the current Bogon prefixes as shown in the example below: @@ -1644,7 +1644,7 @@ router bgp xx neighbor x.2.1.7 remote-as zz neighbor x.2.1.7 prefix-list PREFIX_FILTER in -Route Map Alternative: +Route Map Alternative: Verify that the route map applied to the external neighbors references the configured Bogon prefix list shown above. @@ -1703,7 +1703,7 @@ Step 2: Apply the prefix list filter inbound to each CE neighbor as shown in the R1(config)#router bgp xx R1(config-router)#neighbor x.12.4.14 prefix-list FILTER_PREFIXES_CUST1 in -R1(config-router)#neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 inReview the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers. +R1(config-router)#neighbor x.12.4.16 prefix-list FILTER_PREFIXES_CUST2 inReview the router configuration to verify that there are ACLs defined to only accept routes for prefixes that belong to specific customers. Step 1: Verify prefix list has been configured for each customer containing prefixes belonging to each customer as shown in the example below: @@ -1893,8 +1893,8 @@ router bgp xx neighbor 10.1.1.1 remote-as xx neighbor 10.1.1.1 password xxxxxxxx neighbor 10.1.1.1 update-source Loopback0 - -If the router does not use its loopback address as the source address for all iBGP sessions, this is a finding.SRG-NET-000512-RTR-000002<GroupDescription></GroupDescription>CISC-RT-000590The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.<VulnDiscussion>Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of backbone routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of from a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96967SV-106105CCI-000366Configure the router to use their loopback address as the source address for LDP peering sessions. As noted in the check content, the default behavior is to use its loopback address. + +If the router does not use its loopback address as the source address for all iBGP sessions, this is a finding.SRG-NET-000512-RTR-000002<GroupDescription></GroupDescription>CISC-RT-000590The Cisco MPLS router must be configured to use its loopback address as the source address for LDP peering sessions.<VulnDiscussion>Using a loopback address as the source address offers a multitude of uses for security, access, management, and scalability of backbone routers. It is easier to construct appropriate ingress filters for router management plane traffic destined to the network management subnet since the source addresses will be from the range used for loopback interfaces instead of from a larger range of addresses used for physical interfaces. Log information recorded by authentication and syslog servers will record the router's loopback address instead of the numerous physical interface addresses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96967SV-106105CCI-000366Configure the router to use their loopback address as the source address for LDP peering sessions. As noted in the check content, the default behavior is to use its loopback address. R4(config)#mpls ldp router-id lo0Review the router configuration to determine if it is compliant with this requirement. @@ -1936,7 +1936,7 @@ When RSVP messages are sent out, they are sent either hop by hop or with the rou R2(config)#ip rsvp signalling rate-limit burst 9 maxsize 2100 period 30 limit 50Review the router configuration to determine RSVP messages are rate limited. -Step 1: Determine if MPLS TE is enabled globally and at least one interface as shown in the example below: +Step 1: Determine if MPLS TE is enabled globally and at least one interface as shown in the example below: mpls traffic-eng tunnels … @@ -1951,7 +1951,7 @@ Step 2: If MPLS TE is enabled, verify that message pacing is enabled. ip rsvp signalling rate-limit period 30 burst 9 maxsize 2100 limit 50 -Note: The command "ip rsvp msg-pacing" has been deprecated by the command "ip rsvp signalling rate-limit" +Note: The command "ip rsvp msg-pacing" has been deprecated by the command "ip rsvp signalling rate-limit" If the router with RSVP-TE enabled does not rate limit RSVP messages based on the link speed and input queue size of adjacent core routers, this is a finding.SRG-NET-000512-RTR-000004<GroupDescription></GroupDescription>CISC-RT-000620The Cisco MPLS router must be configured to have TTL Propagation disabled.<VulnDiscussion>The head end of the label-switched path (LSP), the label edge router (LER) will decrement the IP packet's time-to-live (TTL) value by one and then copy the value to the MPLS TTL field. At each label-switched router (LSR) hop, the MPLS TTL value is decremented by one. The MPLS router that pops the label (either the penultimate LSR or the egress LER) will copy the packet's MPLS TTL value to the IP TTL field and decrement it by one. @@ -2007,9 +2007,9 @@ R5(config)#mpls ldp neighbor 10.1.1.2 password xxxxxxxxSRG-NET-000512-RTR-000008<GroupDescription></GroupDescription>CISC-RT-000670The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.<VulnDiscussion>VPWS is an L2VPN technology that provides a virtual circuit between two PE routers to forward Layer 2 frames between two customer-edge routers or switches through an MPLS-enabled IP core. The ingress PE router (virtual circuit head-end) encapsulates Ethernet frames inside MPLS packets using label stacking and forwards them across the MPLS network to the egress PE router (virtual circuit tail-end). During a virtual circuit setup, the PE routers exchange VC label bindings for the specified VC ID. The VC ID specifies a pseudowire associated with an ingress and egress PE router and the customer-facing attachment circuits. +If the router is not configured to authenticate targeted LDP sessions using MD5, the finding will remain as a CAT II.SRG-NET-000512-RTR-000008<GroupDescription></GroupDescription>CISC-RT-000670The Cisco PE router providing MPLS Virtual Private Wire Service (VPWS) must be configured to have the appropriate virtual circuit identification (VC ID) for each attachment circuit.<VulnDiscussion>VPWS is an L2VPN technology that provides a virtual circuit between two PE routers to forward Layer 2 frames between two customer-edge routers or switches through an MPLS-enabled IP core. The ingress PE router (virtual circuit head-end) encapsulates Ethernet frames inside MPLS packets using label stacking and forwards them across the MPLS network to the egress PE router (virtual circuit tail-end). During a virtual circuit setup, the PE routers exchange VC label bindings for the specified VC ID. The VC ID specifies a pseudowire associated with an ingress and egress PE router and the customer-facing attachment circuits. -To guarantee that all frames are forwarded onto the correct pseudowire and to the correct customer and attachment circuits, it is imperative that the correct VC ID is configured for each attachment circuit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106121V-96983CCI-000366Assign globally unique VC IDs for each virtual circuit and configure the attachment circuits with the appropriate VC ID. +To guarantee that all frames are forwarded onto the correct pseudowire and to the correct customer and attachment circuits, it is imperative that the correct VC ID is configured for each attachment circuit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106121V-96983CCI-000366Assign globally unique VC IDs for each virtual circuit and configure the attachment circuits with the appropriate VC ID. R5(config)#int g0/1 R5(config-if)#xconnect x.2.2.12 55 encapsulation mplsVerify that the correct and unique VCID has been configured for the appropriate attachment circuit. In the example below, GigabitEthernet0/1 is the CE-facing interface that is configured for VPWS with the VCID of 55. @@ -2027,13 +2027,13 @@ R1(config-vfi)#neighbor 10.3.3.3 encapsulation mpls R1(config-vfi)#bridge-domain 100 R1(config-vfi)#exit R1(config-if)#service instance 10 ethernet -R1(config-if-srv)#encapsulation untagged +R1(config-if-srv)#encapsulation untagged R1(config-if-srv)#bridge-domain 100 R1(config-if-srv)#endReview the implementation plan and the VPN IDs assigned to customer VLANs for the VPLS deployment. Review the PE router configuration to verify that customer attachment circuits are associated to the appropriate VFI. In the example below, the attached circuit at interface GigabitEthernet3 is associated to VPN ID 110. -l2 vfi VPLS_A manual +l2 vfi VPLS_A manual vpn id 110 bridge-domain 100 neighbor 10.3.3.3 encapsulation mpls @@ -2051,10 +2051,10 @@ If the attachment circuits have not been bound to VFI configured with the assign The PE routers use the VFI with a unique VPN ID to establish a full mesh of emulated virtual circuits or pseudowires to all the other PE routers in the VPLS instance. The full-mesh configuration allows the PE router to maintain a single broadcast domain. With a full-mesh configuration, signaling and packet replication requirements for each provisioned virtual circuit on a PE can be high. To avoid the problem of a packet looping in the provider core, thereby adding more overhead, the PE devices must enforce a split-horizon principle for the emulated virtual circuits; that is, if a packet is received on an emulated virtual circuit, it is not forwarded on any other virtual circuit.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106125V-96987CCI-000366Enable split horizon on all PE routers deploying VPLS in a full-mesh configuration. -R1(config)#l2 vfi VPLS_A manual +R1(config)#l2 vfi VPLS_A manual R1(config-vfi)#neighbor 10.3.3.3 encapsulation mplsReview the PE router configuration to verify that split horizon is enabled. By default, split horizon is enabled; hence, the attribute no-split-horizon should not be seen on the neighbor command as shown in the example below: -l2 vfi VPLS_A manual +l2 vfi VPLS_A manual vpn id 110 bridge-domain 100 neighbor 10.3.3.3 encapsulation mpls no-split-horizon @@ -2064,7 +2064,7 @@ If split horizon is not enabled, this is a finding. Note: This requirement is only applicable to a mesh VPLS topology. VPLS solves the loop problem by using a split-horizon rule which states that member PE routers of a VPLS must forward VPLS traffic only to the local attachment circuits when they receive the traffic from the other PE routers. In a ring VPLS, split horizon must be disabled so that a PE router can forward a packet received from one pseudowire to another pseudowire. To prevent the consequential loop, at least one span in the ring would not have a pseudowire for any given VPLS instance.SRG-NET-000193-RTR-000002<GroupDescription></GroupDescription>CISC-RT-000700The Cisco PE router providing Virtual Private LAN Services (VPLS) must be configured to have traffic storm control thresholds on CE-facing interfaces.<VulnDiscussion>A traffic storm occurs when packets flood a VPLS bridge, creating excessive traffic and degrading network performance. Traffic storm control prevents VPLS bridge disruption by suppressing traffic when the number of packets reaches configured threshold levels. Traffic storm control monitors incoming traffic levels on a port and drops traffic when the number of packets reaches the configured threshold level during any one-second interval.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106127V-96989CCI-001095Configure storm control for each CE-facing interface as shown in the example below: R1(config)#int g3 -R1(config-if)#service instance 10 ethernet +R1(config-if)#service instance 10 ethernet R1(config-if-srv)#storm-control broadcast cir 12000000 R1(config-if-srv)#end @@ -2075,21 +2075,21 @@ interface GigabitEthernet3 service instance 10 ethernet encapsulation untagged bridge-domain 100 - storm-control broadcast cir 12000000 + storm-control broadcast cir 12000000 ! ! If storm control is not enabled at a minimum for broadcast traffic, this is a finding.SRG-NET-000362-RTR-000119<GroupDescription></GroupDescription>CISC-RT-000710The Cisco PE router must be configured to implement Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD) snooping for each Virtual Private LAN Services (VPLS) bridge domain.<VulnDiscussion>IGMP snooping provides a way to constrain multicast traffic at Layer 2. By monitoring the IGMP membership reports sent by hosts within the bridge domain, the snooping application can set up Layer 2 multicast forwarding tables to deliver traffic only to ports with at least one interested member within the VPLS bridge, thereby significantly reducing the volume of multicast traffic that would otherwise flood an entire VPLS bridge domain. The IGMP snooping operation applies to both access circuits and pseudowires within a VPLS bridge domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106129V-96991CCI-002385Configure IGMP or MLD snooping for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. R1(config)#bridge-domain 100 -R1(config-bdomain)#ip igmp snooping +R1(config-bdomain)#ip igmp snooping R1(config-bdomain)#endReview the router configuration to verify that IGMP or MLD snooping has been configured for IPv4 and IPv6 multicast traffic respectively for each VPLS bridge domain. The example below are the steps to verify that IGMP snooping is enabled for a VPLS bridge domain. Step 1: Verify that IGMP snooping is enabled globally. By default, IGMP snooping is enabled globally; hence, the following command should not be in the router configuration: no ip igmp snooping Step 2: If IGMP snooping is enabled globally, it will also be enabled by default for each VPLS bridge domain. Hence, the command no ip igmp snooping should not be configured for any VPLS bridge domain as shown in the example below: -bridge-domain 100 +bridge-domain 100 no ip igmp snooping ! @@ -2101,7 +2101,7 @@ A malicious attacker residing in a customer network could launch a source MAC ad R1(config-bdomain)#mac limit maximum addresses nnnnReview the PE router configuration to determine if a MAC address limit has been set for each VPLS bridge domain. -bridge-domain 100 +bridge-domain 100 mac limit maximum addresses nnnnn If a limit has not been configured, this is a finding.SRG-NET-000205-RTR-000007<GroupDescription></GroupDescription>CISC-RT-000730The Cisco PE router must be configured to block any traffic that is destined to IP core infrastructure.<VulnDiscussion>IP/MPLS networks providing VPN and transit services must provide, at the least, the same level of protection against denial of service (DoS) attacks and intrusions as Layer 2 networks. Although the IP core network elements are hidden, security should never rely entirely on obscurity. @@ -2109,7 +2109,7 @@ If a limit has not been configured, this is a finding.DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96995SV-106133CCI-001097Configure protection for the IP core to be implemented at the edges by blocking any traffic with a destination address assigned to the IP core infrastructure. Step 1: Configure an ingress ACL to discard and log packets destined to the IP core address space. - + R2(config)#ip access-list extended BLOCK_TO_CORE R2(config-ext-nacl)#deny ip any 10.1.x.0 0.0.255.255 log-input R2(config-ext-nacl)#exit @@ -2118,13 +2118,13 @@ Step 2: Apply the ACL inbound to all external or CE-facing interfaces. R2(config)#int R4(config)#int g0/2 R2(config-if)#ip access-group BLOCK_TO_CORE in -R2(config-if)#endStep 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces. +R2(config-if)#endStep 1: Review the router configuration to verify that an ingress ACL is applied to all external or CE-facing interfaces. interface GigabitEthernet0/2 ip address x.1.12.2 255.255.255.252 ip access-group BLOCK_TO_CORE in -Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space. +Step 2: Verify that the ingress ACL discards and logs packets destined to the IP core address space. ip access-list extended BLOCK_TO_CORE deny ip any 10.1.x.0 0.0.255.255 log-input @@ -2314,7 +2314,7 @@ interface GigabitEthernet1/2 ip address 10.1.15.8 255.255.255.252 service-policy output QOS_POLICY -If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.SRG-NET-000193-RTR-000112<GroupDescription></GroupDescription>CISC-RT-000780The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial of service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets. +If the router is not configured to implement a QoS policy in accordance with the QoS DODIN Technical Profile, this is a finding.SRG-NET-000193-RTR-000112<GroupDescription></GroupDescription>CISC-RT-000780The Cisco PE router must be configured to enforce a Quality-of-Service (QoS) policy to limit the effects of packet flooding denial of service (DoS) attacks.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. Packet flooding distributed denial of service (DDoS) attacks are referred to as volumetric attacks and have the objective of overloading a network or circuit to deny or seriously degrade performance, which denies access to the services that normally traverse the network or circuit. Volumetric attacks have become relatively easy to launch using readily available tools such as Low Orbit Ion Cannon or botnets. Measures to mitigate the effects of a successful volumetric attack must be taken to ensure that sufficient capacity is available for mission-critical traffic. Managing capacity may include, for example, establishing selected network usage priorities or quotas and enforcing them using rate limiting, Quality of Service (QoS), or other resource reservation control methods. These measures may also mitigate the effects of sudden decreases in network capacity that are the result of accidental or intentional physical damage to telecommunications facilities (such as cable cuts or weather-related outages).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-97005SV-106143CCI-001095Step 1: Configure a class map for the SCAVENGER class. @@ -2336,7 +2336,7 @@ Step 1: Verify that a class map has been configured for the Scavenger class as s class-map match-all SCAVENGER match ip dscp cs1 -Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below. +Step 2: Verify that the policy map includes the SCAVENGER class with low priority as shown in the following example below. policy-map QOS_POLICY class CONTROL_PLANE @@ -2356,9 +2356,9 @@ class SCAVENGER Note: Traffic out of profile must be marked at the customer access layer or CE egress edge. -If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.SRG-NET-000019-RTR-000003<GroupDescription></GroupDescription>CISC-RT-000790The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.<VulnDiscussion>If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security. +If the router is not configured to enforce a QoS policy to limit the effects of packet flooding DoS attacks, this is a finding.SRG-NET-000019-RTR-000003<GroupDescription></GroupDescription>CISC-RT-000790The Cisco multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.<VulnDiscussion>If multicast traffic is forwarded beyond the intended boundary, it is possible that it can be intercepted by unauthorized or unintended personnel. Limiting where, within the network, a given multicast group's data is permitted to flow is an important first step in improving multicast security. -A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. +A scope zone is an instance of a connected region of a given scope. Zones of the same scope cannot overlap while zones of a smaller scope will fit completely within a zone of a larger scope. For example, Admin-local scope is smaller than Site-local scope, so the administratively configured boundary fits within the bounds of a site. According to RFC 4007 IPv6 Scoped Address Architecture (section 5), scope zones are also required to be "convex from a routing perspective"; that is, packets routed within a zone must not pass through any links that are outside of the zone. This requirement forces each zone to be one contiguous island rather than a series of separate islands. As stated in the DoD IPv6 IA Guidance for MO3, "One should be able to identify all interfaces of a zone by drawing a closed loop on their network diagram, engulfing some routers and passing through some routers to include only some of their interfaces." Therefore, it is imperative that the network engineers have documented their multicast topology and thereby knows which interfaces are enabled for multicast. Once this is done, the zones can be scoped as required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-97007SV-106145CCI-001414Document all enabled interfaces for PIM in the network's multicast topology diagram. Disable support for PIM on interfaces that are not required to support it. @@ -2407,7 +2407,7 @@ Admin-Local scope is encouraged for any multicast traffic within a network inten R2(config)#ip access-list standard MULTICAST_SCOPE R2(config-std-nacl)#deny 239.0.0.0 0.255.255.255 R2(config-std-nacl)#permit any -R2(config-std-nacl)#exit +R2(config-std-nacl)#exit Step 2: Apply the multicast boundary at the appropriate interfaces as shown in the example below: @@ -2428,7 +2428,7 @@ ip access-list standard MULTICAST_SCOPE If the router is not configured to establish boundaries for administratively scoped multicast traffic, this is a finding.SRG-NET-000362-RTR-000120<GroupDescription></GroupDescription>CISC-RT-000820The Cisco multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries.<VulnDiscussion>MSDP peering between networks enables sharing of multicast source information. Enclaves with an existing multicast topology using PIM-SM can configure their RP routers to peer with MSDP routers. As a first step of defense against a denial of service (DoS) attack, all RP routers must limit the multicast forwarding cache to ensure that router resources are not saturated managing an overwhelming number of PIM and MSDP source-active entries.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-97013SV-106151CCI-002385The risk associated with this requirement can be fully mitigated by configuring the router to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers. -Step 1: Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. +Step 1: Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. R2(config)#ip access-list extended PIM_REGISTER_FILTER R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255 @@ -2437,7 +2437,7 @@ R2(config-ext-nacl)#permit ip host 10.1.2.7 any R2(config-ext-nacl)#deny ip any any R2(config-ext-nacl)#exit R2(config)#ip pim accept-register list PIM_REGISTER_FILTER -R2(config)#end +R2(config)#end Step 2: Configure the RP to rate limit the number of multicast register messages. @@ -2461,7 +2461,7 @@ R8(config-ext-nacl)#deny ip any anySRG-NET-000019-RTR-000013<GroupDescription></GroupDescription>CISC-RT-000830The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial of service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106153V-97015CCI-001414Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. +If the RP router is not configured to filter PIM register messages, rate limiting the number of PIM register messages, and accept MSDP packets only from known MSDP peers, this is a finding.SRG-NET-000019-RTR-000013<GroupDescription></GroupDescription>CISC-RT-000830The Cisco multicast Rendezvous Point (RP) router must be configured to filter Protocol Independent Multicast (PIM) Register messages received from the Designated Router (DR) for any undesirable multicast groups and sources.<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. An attacker can flood a network segment with multicast packets, over-using the available bandwidth and thereby creating a denial of service (DoS) condition. Hence, it is imperative that register messages are accepted only for authorized multicast groups and sources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106153V-97015CCI-001414Configure the router to filter PIM register messages received from a multicast DR for any undesirable multicast groups and sources. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. R2(config)#ip access-list extended PIM_REGISTER_FILTER R2(config-ext-nacl)#deny ip any 239.5.0.0 0.0.255.255 @@ -2513,7 +2513,7 @@ R2(config-ext-nacl)#permit ip host 10.1.2.7 any R2(config-ext-nacl)#deny ip any any R2(config-ext-nacl)#exit R2(config)#ip pim accept-register list PIM_REGISTER_FILTER -R2(config)#endVerify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. +R2(config)#endVerify that the RP router is configured to filter PIM register messages. The example below will deny any multicast streams for groups 239.5.0.0/16 and allow from only sources 10.1.2.6 and 10.1.2.7. ip pim rp-address 10.1.12.3 ip pim accept-register list PIM_REGISTER_FILTER @@ -2532,7 +2532,7 @@ R2(config)#ip access-list standard PIM_JOIN_FILTER R2(config-std-nacl)#deny 239.8.0.0 0.0.255.255 R2(config-std-nacl)#permit any R2(config-std-nacl)#exit -R2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER +R2(config)#ip pim accept-rp 10.2.2.2 PIM_JOIN_FILTER R2(config)#endVerify that the RP router is configured to filter PIM join messages for any undesirable multicast groups. In the example below, groups from 239.8.0.0/16 are not allowed. ip pim rp-address 10.2.2.2 @@ -2554,7 +2554,7 @@ ip pim register-rate-limit nn If the RP is not limiting PIM register messages, this is a finding.SRG-NET-000364-RTR-000114<GroupDescription></GroupDescription>CISC-RT-000860The Cisco multicast Designated Router (DR) must be configured to filter the Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Report messages to allow hosts to join only multicast groups that have been approved by the organization.<VulnDiscussion>Real-time multicast traffic can entail multiple large flows of data. Large unicast flows tend to be fairly isolated (i.e., someone doing a file download here or there), whereas multicast can have broader impact on bandwidth consumption, resulting in extreme network congestion. Hence, it is imperative that there is multicast admission control to restrict which multicast groups hosts are allowed to join via IGMP or MLD.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106159V-97021CCI-002403Configure the DR to filter the IGMP or MLD Membership Report messages to allow hosts to join only those multicast groups that have been approved. -Step 1: Configure the ACL to filter IGMP Membership Report messages as shown in the example. +Step 1: Configure the ACL to filter IGMP Membership Report messages as shown in the example. R3(config)#ip access-list standard IGMP_JOIN_FILTER R3(config-std-nacl)#deny 239.8.0.0 0.0.255.255 @@ -2630,7 +2630,7 @@ If the DR is not limiting multicast join requests via IGMP or MLD on a global or When the last-hop router begins to receive traffic for the group from the source via the SPT, it will send a PIM Prune message to the RP for the (S, G). The RP will then send a Prune message toward the source. The SPT switchover becomes a scaling issue for large multicast topologies that have many receivers and many sources for many groups because (S, G) entries require more memory than (*, G). Hence, it is imperative to minimize the amount of (S, G) state to be maintained by increasing the threshold that determines when the SPT switchover occurs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106165V-97027CCI-002385Configure the DR to increase the SPT threshold or set it to infinity to minimalize (S, G) state within the multicast topology where ASM is deployed. -R3(config)#ip pim spt-threshold infinityReview the DR configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over). +R3(config)#ip pim spt-threshold infinityReview the DR configuration to verify that the SPT switchover threshold is increased (default is "0") or set to infinity (never switch over). ip pim rp-address 10.2.2.2 ip pim spt-threshold infinity @@ -2682,7 +2682,7 @@ ip msdp password peer x.1.28.8 xxxxxxxxxxxx If the router does not require MSDP authentication, this is a finding.SRG-NET-000018-RTR-000007<GroupDescription></GroupDescription>CISC-RT-000920The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.<VulnDiscussion>The interoperability of BGP extensions for interdomain multicast routing and MSDP enables seamless connectivity of multicast domains between autonomous systems. MP-BGP advertises the unicast prefixes of the multicast sources used by Protocol Independent Multicast (PIM) routers to perform RPF checks and build multicast distribution trees. MSDP is a mechanism used to connect multiple PIM sparse-mode domains, allowing RPs from different domains to share information about active sources. When RPs in peering multicast domains hear about active sources, they can pass on that information to their local receivers, thereby allowing multicast data to be forwarded between the domains. Configuring an import policy to block multicast advertisements for reserved, Martian, single-source multicast, and any other undesirable multicast groups, as well as any source-group (S, G) states with Bogon source addresses, would assist in avoiding unwanted multicast traffic from traversing the core.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106171V-97033CCI-001368Configure the MSDP router to filter received source-active multicast advertisements for any undesirable multicast groups and sources as shown in the example below: R8(config)#ip access-list extended INBOUND_MSDP_SA_FILTER -R8(config-ext-nacl)#deny ip any host 224.0.1.3 ! Rwhod +R8(config-ext-nacl)#deny ip any host 224.0.1.3 ! Rwhod R8(config-ext-nacl)#deny ip any host 224.0.1.24 ! Microsoft-ds R8(config-ext-nacl)#deny ip any host 224.0.1.22 ! SVRLOC R8(config-ext-nacl)#deny ip any host 224.0.1.2 ! SGI-Dogfight @@ -2698,7 +2698,7 @@ R8(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255 any ! RFC 1918 address r R8(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any ! RFC 1918 address range R8(config-ext-nacl)#permit ip any any R8(config-ext-nacl)#exit -R8(config)#ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTERReview the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses. +R8(config)#ip msdp sa-filter in x.1.28.2 list INBOUND_MSDP_SA_FILTERReview the router configuration to determine if there is import policy to block source-active multicast advertisements for any undesirable multicast groups, as well as any (S, G) states with undesirable source addresses. Step 1: Verify that an inbound source-active filter is bound to each MSDP peer. @@ -2918,11 +2918,11 @@ ip access-list extended EXTERNAL_ACL deny ip any any option any-options permit … … - … + … … deny ip any any log-input -If the router is not configured to drop all packets with IP options, this is a finding.SRG-NET-000362-RTR-000124<GroupDescription></GroupDescription>CISC-RT-000470The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).<VulnDiscussion>As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers. +If the router is not configured to drop all packets with IP options, this is a finding.SRG-NET-000362-RTR-000124<GroupDescription></GroupDescription>CISC-RT-000470The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).<VulnDiscussion>As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from denial of service (DoS) attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol-speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106081V-96943CCI-002385Configure TTL security on all external BGP neighbors as shown in the example below: @@ -2943,8 +2943,8 @@ router bgp xx If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.SRG-NET-000230-RTR-000002<GroupDescription></GroupDescription>CISC-RT-000480The Cisco BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.<VulnDiscussion>If the same keys are used between eBGP neighbors, the chance of a hacker compromising any of the BGP sessions increases. It is possible that a malicious user exists in one autonomous system who would know the key used for the eBGP session. This user would then be able to hijack BGP sessions with other trusted neighbors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028SV-106083V-96945CCI-002205CCI-000366Configure the router to use unique keys for each AS that it peers with as shown in the example below: R1(config)#router bgp xx -R1(config-router)#neighbor x.1.1.9 password yyyyyyyy -R1(config-router)#neighbor x.2.1.7 password zzzzzzzzzReview the BGP configuration to determine if it is peering with multiple autonomous systems. Interview the ISSM and router administrator to determine if unique keys are being used. +R1(config-router)#neighbor x.1.1.9 password yyyyyyyy +R1(config-router)#neighbor x.2.1.7 password zzzzzzzzzReview the BGP configuration to determine if it is peering with multiple autonomous systems. Interview the ISSM and router administrator to determine if unique keys are being used. router bgp xx no synchronization @@ -2956,7 +2956,7 @@ router bgp xx If unique keys are not being used, this is a finding.SRG-NET-000205-RTR-000016<GroupDescription></GroupDescription>CISC-RT-000750The Cisco PE router must be configured to ignore or drop all packets with any IP options.<VulnDiscussion>Packets with IP options are not fast-switched and therefore must be punted to the router processor. Hackers who initiate denial of service (DoS) attacks on routers commonly send large streams of packets with IP options. Dropping the packets with IP options reduces the load of IP options packets on the router. The end result is a reduction in the effects of the DoS attack on the router and on downstream routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028V-96999SV-106137CCI-002403Configure the router to ignore or drop all packets with IP options as shown in the examples below: -R4(config)#ip options ignore +R4(config)#ip options ignore or @@ -2968,23 +2968,23 @@ ip options ignore If the router is not configured to drop or block all packets with IP options, this is a finding.SRG-NET-000512-RTR-000100<GroupDescription></GroupDescription>CISC-RT-000235The Cisco router must be configured to have Cisco Express Forwarding enabled.<VulnDiscussion>The Cisco Express Forwarding (CEF) switching mode replaces the traditional Cisco routing cache with a data structure that mirrors the entire system routing table. Because there is no need to build cache entries when traffic starts arriving for new destinations, CEF behaves more predictably when presented with large volumes of traffic addressed to many destinations—such as a SYN flood attacks that. Because many SYN flood attacks use randomized source addresses to which the hosts under attack will reply to, there can be a substantial amount of traffic for a large number of destinations that the router will have to handle. Consequently, routers configured for CEF will perform better under SYN floods directed at hosts inside the network than routers using the traditional cache.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-000366Enable CEF -IPv4 Example: ip cef +IPv4 Example: ip cef IPv6 Example: ipv6 cefReview the router to verify that CEF is enabled. -IPv4 Example: ip cef +IPv4 Example: ip cef IPv6 Example: ipv6 cefSRG-NET-000512-RTR-000012<GroupDescription></GroupDescription>CISC-RT-000236The Cisco router must be configured to advertise a hop limit of at least 32 in Router Advertisement messages for IPv6 stateless auto-configuration deployments.<VulnDiscussion>The Neighbor Discovery protocol allows a hop limit value to be advertised by routers in a Router Advertisement message being used by hosts instead of the standardized default value. If a very small value was configured and advertised to hosts on the LAN segment, communications would fail due to the hop limit reaching zero before the packets sent by a host reached its destination.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-000366Configure the router to advertise a hop limit of at least 32 in Router Advertisement messages. R1(config)#ipv6 hop-limit 128Review the router configuration to determine if the hop limit has been configured for Router Advertisement messages as shown in the example. ipv6 hop-limit 128 -If it has been configured and has not been set to at least 32, it is a finding.SRG-NET-000512-RTR-000013<GroupDescription></GroupDescription>CISC-RT-000237The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.<VulnDiscussion>As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-000366Configure the router using only authorized IPv6 addresses. Review the router configuration to ensure FEC0::/10 IPv6 addresses are not defined. +If it has been configured and has not been set to at least 32, it is a finding.SRG-NET-000512-RTR-000013<GroupDescription></GroupDescription>CISC-RT-000237The Cisco router must not be configured to use IPv6 Site Local Unicast addresses.<VulnDiscussion>As currently defined, site local addresses are ambiguous and can be present in multiple sites. The address itself does not contain any indication of the site to which it belongs. The use of site-local addresses has the potential to adversely affect network security through leaks, ambiguity, and potential misrouting as documented in section 2 of RFC3879. RFC3879 formally deprecates the IPv6 site-local unicast prefix FEC0::/10 as defined in RFC3513.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-000366Configure the router using only authorized IPv6 addresses. Review the router configuration to ensure FEC0::/10 IPv6 addresses are not defined. If IPv6 Site Local Unicast addresses are defined, this is a finding.SRG-NET-000512-RTR-000014<GroupDescription></GroupDescription>CISC-RT-000391The Cisco perimeter router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces.<VulnDiscussion>Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gateways must be configured to suppress router advertisements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-000366Configure the router to suppress Router Advertisements on all external IPv6-enabled interfaces as shown in the example below. R1(config)#int g1/0 R1(config-if)#ipv6 nd ra suppress R1(config-if)#end -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. Review the router configuration to verify that Router Advertisements are suppressed on all external IPv6-enabled interfaces as shown in the example below. @@ -3004,7 +3004,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 in -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is configured to drop IPv6 undetermined transport packets. @@ -3024,7 +3024,7 @@ ipv6 access-list FILTER_IPV6 … deny ipv6 any any log -If the router is not configured to drop IPv6 undetermined transport packets, this is a finding.SRG-NET-000364-RTR-000201<GroupDescription></GroupDescription>CISC-RT-000393The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3–255. <VulnDiscussion>The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the routing extension header has few legitimate uses other than as implemented by Mobile IPv6. +If the router is not configured to drop IPv6 undetermined transport packets, this is a finding.SRG-NET-000364-RTR-000201<GroupDescription></GroupDescription>CISC-RT-000393The Cisco perimeter router must be configured drop IPv6 packets with a Routing Header type 0, 1, or 3–255. <VulnDiscussion>The routing header can be used maliciously to send a packet through a path where less robust security is in place, rather than through the presumably preferred path of routing protocols. Use of the routing extension header has few legitimate uses other than as implemented by Mobile IPv6. The Type 0 Routing Header (RFC 5095) is dangerous because it allows attackers to spoof source addresses and obtain traffic in response, rather than the real owner of the address. Secondly, a packet with an allowed destination address could be sent through a Firewall using the Routing Header functionality, only to bounce to a different node once inside. The Type 1 Routing Header is defined by a specification called "Nimrod Routing", a discontinued project funded by DARPA. Assuming that most implementations will not recognize the Type 1 Routing Header, it must be dropped. The Type 3–255 Routing Header values in the routing type field are currently undefined and should be dropped inbound and outbound.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Cisco IOS XE Router RTRDISADPMS TargetCisco IOS XE Router RTR4028CCI-002403Configure the router to drop IPv6 packets with Routing Header of type 0, 1, or 3-255 as shown in the example below. R1(config)#ipv6 access-list FILTER_IPV6 @@ -3038,7 +3038,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. Review the router configuration to determine if it is configured to drop IPv6 packets containing a Routing Header of type 0, 1, or 3-255. @@ -3076,9 +3076,9 @@ R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. -Review the router configuration to determine if it is compliant with this requirement. +Review the router configuration to determine if it is compliant with this requirement. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. @@ -3090,7 +3090,7 @@ Step 2: Verify that the ACL drops IPv6 packets containing a Hop-by-Hop header wi ipv6 access-list FILTER_IPV6 deny hbh any any dest-option-type 4 log deny hbh any any dest-option-type 195 log - deny hbh any any dest-option-type home-address log + deny hbh any any dest-option-type home-address log permit ipv6 … … … @@ -3110,9 +3110,9 @@ R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. -Review the router configuration to determine if it is compliant with this requirement. +Review the router configuration to determine if it is compliant with this requirement. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. @@ -3144,9 +3144,9 @@ R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. -Review the router configuration to determine if it is compliant with this requirement. +Review the router configuration to determine if it is compliant with this requirement. Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. @@ -3177,9 +3177,9 @@ R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 R1(config-if)#end -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. -Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address). +Review the router configuration and determine if filters are bound to the applicable interfaces to drop IPv6 packets containing a Destination Option header with option type value of 0xC3 (NSAP address). Step 1: Verify that an inbound IPv6 ACL has been configured on the external interface. @@ -3218,7 +3218,7 @@ R1(config-ipv6-acl)#deny any any dest-option-type 39 … R1(config-ipv6-acl)#deny any any dest-option-type 47 R1(config-ipv6-acl)#deny any any dest-option-type 49 -… +… R1(config-ipv6-acl)#deny any any dest-option-type 255 R1(config-ipv6-acl)#permit … … @@ -3228,7 +3228,7 @@ R1(config-ipv6-acl)#deny ipv6 any any log R1(config-ipv6-acl)#exit R1(config)#int g1/0 R1(config-if)#ipv6 traffic-filter FILTER_IPV6 -This requirement is not applicable for the DODIN Backbone. +This requirement is not applicable for the DODIN Backbone. Review the router configuration and determine if filters are bound to the applicable interfaces to drop all inbound IPv6 packets containing an undefined option type value regardless of whether they appear in a Hop-by-Hop or Destination Option header. Undefined values are 0x02, 0x03, 0x06, 0x9 – 0xE, 0x10 – 0x22, 0x24, 0x25, 0x27 – 0x2F, and 0x31 – 0xFF. @@ -3259,7 +3259,7 @@ ipv6 access-list FILTER_IPV6 … deny any any dest-option-type 47 deny any any dest-option-type 49 - … + … deny any any dest-option-type 255 permit … … @@ -3269,4 +3269,4 @@ ipv6 access-list FILTER_IPV6 Note: Because hop-by-hop and destination options have the same exact header format, they can be combined under the dest-option-type keyword. Since Hop-by-Hop and Destination Option headers have non-overlapping types, you can use dest-option-type to match either. -If the router is not configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type, this is a finding. \ No newline at end of file +If the router is not configured to drop IPv6 packets containing a Hop-by-Hop or Destination Option extension header with an undefined option type, this is a finding. diff --git a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml index 896cb1e..a3aabd8 100644 --- a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml +++ b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml @@ -137,14 +137,14 @@ - (cmd_result.stdout|join('\n')).find('ip dns server') != -1 - iosxeSTIG_stigrule_215823_Manage # R-215823 CISC-ND-000470 -- name : stigrule_215823_disable_identd - ignore_errors: "{{ ignore_all_errors }}" - notify: "save configuration" - ios_config: - defaults: yes - lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}" - when: - - iosxeSTIG_stigrule_215823_Manage +# - name : stigrule_215823_disable_identd +# ignore_errors: "{{ ignore_all_errors }}" +# notify: "save configuration" +# ios_config: +# defaults: yes +# lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}" +# when: +# - iosxeSTIG_stigrule_215823_Manage # R-215823 CISC-ND-000470 - name : stigrule_215823_disable_finger ignore_errors: "{{ ignore_all_errors }}" @@ -378,9 +378,9 @@ - name : stigrule_215837_host ignore_errors: "{{ ignore_all_errors }}" notify: "save configuration" - ios_logging: - dest: host - name: "{{ iosxeSTIG_stigrule_215837_host_Name }}" + ios_config: + lines: + - "logging {{ iosxeSTIG_stigrule_215837_host_Name }}" when: iosxeSTIG_stigrule_215837_Manage # R-215837 CISC-ND-001000 # Please configure name IP address to a valid one. @@ -397,16 +397,18 @@ - name : stigrule_215838_ntp_server_1 ignore_errors: "{{ ignore_all_errors }}" notify: "save configuration" - ios_ntp: - server: "{{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}" + cisco.ios.ios_config: + lines: + - "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}" when: iosxeSTIG_stigrule_215838_Manage # R-215838 CISC-ND-001030 # Replace ntp servers' IP address before enabling. - name : stigrule_215838_ntp_server_2 ignore_errors: "{{ ignore_all_errors }}" notify: "save configuration" - ios_ntp: - server: "{{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}" + cisco.ios.ios_config: + lines: + - "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}" when: iosxeSTIG_stigrule_215838_Manage # R-215840 CISC-ND-001050 # service timestamps log datetime localtime is set in 215817. diff --git a/collections/ansible_collections/demo/compliance/roles/rhel7STIG/callback_plugins/stig_xml.py b/collections/ansible_collections/demo/compliance/roles/rhel7STIG/callback_plugins/stig_xml.py index cfff078..5474b83 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel7STIG/callback_plugins/stig_xml.py +++ b/collections/ansible_collections/demo/compliance/roles/rhel7STIG/callback_plugins/stig_xml.py @@ -1,4 +1,5 @@ -from __future__ import (absolute_import, division, print_function) +from __future__ import absolute_import, division, print_function + __metaclass__ = type from ansible.plugins.callback import CallbackBase @@ -11,76 +12,82 @@ import os import xml.etree.ElementTree as ET import xml.dom.minidom + class CallbackModule(CallbackBase): CALLBACK_VERSION = 2.0 - CALLBACK_TYPE = 'xml' - CALLBACK_NAME = 'stig_xml' + CALLBACK_TYPE = "xml" + CALLBACK_NAME = "stig_xml" CALLBACK_NEEDS_WHITELIST = True def _get_STIG_path(self): - cwd = os.path.abspath('.') + cwd = os.path.abspath(".") for dirpath, dirs, files in os.walk(cwd): - if os.path.sep + 'files' in dirpath and '.xml' in files[0]: + if os.path.sep + "files" in dirpath and ".xml" in files[0]: return os.path.join(cwd, dirpath, files[0]) def __init__(self): super(CallbackModule, self).__init__() self.rules = {} - self.stig_path = os.environ.get('STIG_PATH') - self.XML_path = os.environ.get('XML_PATH') + self.stig_path = os.environ.get("STIG_PATH") + self.XML_path = os.environ.get("XML_PATH") if self.stig_path is None: self.stig_path = self._get_STIG_path() - self._display.display('Using STIG_PATH: {}'.format(self.stig_path)) + self._display.display("Using STIG_PATH: {}".format(self.stig_path)) if self.XML_path is None: self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml" - self._display.display('Using XML_PATH: {}'.format(self.XML_path)) + self._display.display("Using XML_PATH: {}".format(self.XML_path)) print("Writing: {}".format(self.XML_path)) STIG_name = os.path.basename(self.stig_path) - ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2') - self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult') - self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name)) + ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2") + self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult") + self.tr.set( + "id", + "xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name), + ) endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime()) - self.tr.set('end-time', endtime) - tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target') + self.tr.set("end-time", endtime) + tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target") tg.text = platform.node() def _get_rev(self, nid): - with open(self.stig_path, 'r') as f: - r = 'SV-{}r(?P\d+)_rule'.format(nid) + with open(self.stig_path, "r") as f: + r = "SV-{}r(?P\d+)_rule".format(nid) m = re.search(r, f.read()) if m: - rev = m.group('rev') + rev = m.group("rev") else: - rev = '0' + rev = "0" return rev def v2_runner_on_ok(self, result): name = result._task.get_name() - m = re.search('stigrule_(?P\d+)', name) + m = re.search("stigrule_(?P\d+)", name) if m: - nid = m.group('id') + nid = m.group("id") else: return rev = self._get_rev(nid) key = "{}r{}".format(nid, rev) - if self.rules.get(key, 'Unknown') != False: + if self.rules.get(key, "Unknown") != False: self.rules[key] = result.is_changed() def v2_playbook_on_stats(self, stats): for rule, changed in self.rules.items(): - state = 'fail' if changed else 'pass' - rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result') - rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule)) - rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result') + state = "fail" if changed else "pass" + rr = ET.SubElement( + self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result" + ) + rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule)) + rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result") rs.text = state passing = len(self.rules) - sum(self.rules.values()) - sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score') - sc.set('maximum', str(len(self.rules))) - sc.set('system', 'urn:xccdf:scoring:flat-unweighted') + sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score") + sc.set("maximum", str(len(self.rules))) + sc.set("system", "urn:xccdf:scoring:flat-unweighted") sc.text = str(passing) - with open(self.XML_path, 'wb') as f: + with open(self.XML_path, "wb") as f: out = ET.tostring(self.tr) - pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8') + pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8") f.write(pretty) diff --git a/collections/ansible_collections/demo/compliance/roles/rhel7STIG/files/U_RHEL_7_STIG_V3R10_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/rhel7STIG/files/U_RHEL_7_STIG_V3R10_Manual-xccdf.xml index 8db3c56..49be4e4 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel7STIG/files/U_RHEL_7_STIG_V3R10_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/rhel7STIG/files/U_RHEL_7_STIG_V3R10_Manual-xccdf.xml @@ -70,7 +70,7 @@ Update the system databases: Users must log out and back in again before the system-wide settings take effect.Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check to see if the operating system displays a banner at the logon screen with the following command: @@ -224,19 +224,19 @@ Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162</VulnDiscussion& Note: If the system does not have GNOME installed, this requirement is Not Applicable. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. # touch /etc/dconf/db/local.d/00-defaults Edit "[org/gnome/login-screen]" and add or update the following line: -enable-smartcard-authentication=true +enable-smartcard-authentication=true Update the system databases: # dconf updateVerify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: @@ -283,7 +283,7 @@ If the "idle-delay" setting is missing or is not set to "900" or less, this is a The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73155SV-87807CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. @@ -291,7 +291,7 @@ Note: The example below is using the database "local" for the system, so if the Add the setting to lock the screensaver lock delay: - /org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. + /org/gnome/desktop/screensaver/lock-delayVerify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -310,7 +310,7 @@ If the command does not return a result, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73157SV-87809CCI-000057Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory. @@ -318,7 +318,7 @@ Note: The example below is using the database "local" for the system, so if the Add the setting to lock the session idle delay: - /org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. + /org/gnome/desktop/session/idle-delayVerify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -337,7 +337,7 @@ If the command does not return a result, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71899SV-86523CCI-000057Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: # touch /etc/dconf/db/local.d/00-screensaver @@ -366,7 +366,7 @@ The session lock is implemented at the point where session activity can be deter The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78997SV-93703CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. @@ -374,7 +374,7 @@ Note: The example below is using the database "local" for the system, so if the Add the setting to lock the screensaver idle-activation-enabled setting: - /org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. + /org/gnome/desktop/screensaver/idle-activation-enabledVerify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -395,7 +395,7 @@ If the command does not return a result, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71901SV-86525CCI-000057Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: # touch /etc/dconf/db/local.d/00-screensaver @@ -410,7 +410,7 @@ Update the system databases: # dconf update -Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. +Users must log out and back in again before the system-wide settings take effect.Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -434,7 +434,7 @@ Add the following line to "/etc/pam.d/system-auth" (or modify the line to have t password required pam_pwquality.so retry=3 -Note: The value of "retry" should be between "1" and "3".Verify the operating system uses "pwquality" to enforce the password complexity rules. +Note: The value of "retry" should be between "1" and "3".Verify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" with the following command: @@ -454,22 +454,22 @@ ucredit = -1SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-07-010130The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86529V-71905CCI-000193Configure the system to require at least one lower-case character when creating or changing a password. -Add or modify the following line +Add or modify the following line in "/etc/security/pwquality.conf": lcredit = -1Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf". Check the value for "lcredit" in "/etc/security/pwquality.conf" with the following command: -# grep lcredit /etc/security/pwquality.conf -lcredit = -1 +# grep lcredit /etc/security/pwquality.conf +lcredit = -1 If the value of "lcredit" is not set to a negative value, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-07-010140The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -481,8 +481,8 @@ dcredit = -1SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-07-010150The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -496,7 +496,7 @@ Note: The value to require a number of special characters to be set is expressed Check the value for "ocredit" in "/etc/security/pwquality.conf" with the following command: -# grep ocredit /etc/security/pwquality.conf +# grep ocredit /etc/security/pwquality.conf ocredit=-1 If the value of "ocredit" is not set to a negative value, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010160The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -509,7 +509,7 @@ difok = 8SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010170The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -522,7 +522,7 @@ minclass = 4SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010180The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -535,7 +535,7 @@ maxrepeat = 3SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-07-010190The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. @@ -548,7 +548,7 @@ maxclassrepeat = 4SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010200The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71919SV-86543CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. @@ -582,13 +582,13 @@ ENCRYPT_METHOD SHA512 If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>RHEL-07-010220The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71923SV-86547CCI-000196Configure the operating system to store only SHA512 encrypted representations of passwords. -Add or update the following line in "/etc/libuser.conf" in the [defaults] section: +Add or update the following line in "/etc/libuser.conf" in the [defaults] section: crypt_style = sha512Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is "SHA512". Check that the system is configured to create "SHA512" hashed passwords with the following command: -# grep -i sha512 /etc/libuser.conf +# grep -i sha512 /etc/libuser.conf crypt_style = sha512 @@ -598,7 +598,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ PASS_MIN_DAYS 1Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts. -Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: +Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: # grep -i pass_min_days /etc/login.defs PASS_MIN_DAYS 1 @@ -634,7 +634,7 @@ If any results are returned that are not associated with a system account, this Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): password requisite pam_pwhistory.so use_authtok remember=5 retry=3 - + Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Verify the operating system prohibits password reuse for a minimum of five generations. Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command: @@ -659,7 +659,7 @@ If the command does not return a "minlen" value of 15 or greater, this is a find Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords. -Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.To verify that null passwords cannot be used, run the following command: +Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.To verify that null passwords cannot be used, run the following command: # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -699,7 +699,7 @@ Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pa auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth sufficient pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +account required pam_faillock.so Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite custom authentication configuration settings while using the authconfig utility, otherwise manual changes to the listed files will be overwritten whenever the authconfig utility is used.Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command: @@ -707,7 +707,7 @@ Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -account required pam_faillock.so +account required pam_faillock.so If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. @@ -717,7 +717,7 @@ If the "fail_interval" parameter is set to "0" or is set to a value less than "9 If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. -Note: The maximum configurable value for "unlock_time" is "604800". +Note: The maximum configurable value for "unlock_time" is "604800". If any line referencing the "pam_faillock.so" module is commented out, this is a finding. @@ -735,7 +735,7 @@ If the "fail_interval" parameter is set to "0" or is set to a value less than "9 If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module or is missing from these lines, this is a finding. -Note: The maximum configurable value for "unlock_time" is "604800". +Note: The maximum configurable value for "unlock_time" is "604800". If any line referencing the "pam_faillock.so" module is commented out, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010330The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. @@ -752,19 +752,19 @@ Note: Per requirement RHEL-07-010199, RHEL 7 must be configured to not overwrite # grep pam_faillock.so /etc/pam.d/password-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding. # grep pam_faillock.so /etc/pam.d/system-auth -auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 account required pam_faillock.so -If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010340The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010340The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. @@ -784,7 +784,7 @@ Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with $ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d -If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010350The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010350The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. @@ -826,7 +826,7 @@ Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] se [daemon] AutomaticLoginEnable=falseVerify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command: @@ -842,7 +842,7 @@ Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] sectio [daemon] TimedLoginEnable=falseVerify the operating system does not allow an unrestricted logon to the system via a graphical user interface. -Note: If the system does not have GNOME installed, this requirement is Not Applicable. +Note: If the system does not have GNOME installed, this requirement is Not Applicable. Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf" file with the following command: @@ -890,7 +890,7 @@ ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block d If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-07-010482Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-95717V-81005CCI-000213Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: - + $ sudo grub2-setpassword Enter password: Confirm password:For systems that use UEFI, this is Not Applicable. @@ -921,7 +921,7 @@ If the grub superusers password does not begin with "grub.pbkdf2.sha512", this i Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: -1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; +1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and @@ -1014,7 +1014,7 @@ If they are not mapped in this way, this is a finding. If administrator accounts are mapped to the "sysadm_u" SELinux user and are not documented as an operational requirement with the ISSO, this is a finding. If administrator accounts are mapped to the "sysadm_u" SELinux user and are documented as an operational requirement with the ISSO, this can be downgraded to a CAT III.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020030The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86597V-71973CCI-001744Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86597V-71973CCI-001744Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: # more /etc/cron.daily/aide #!/bin/bash @@ -1036,9 +1036,9 @@ Check the cron directories for a script file controlling the execution of the fi If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-07-020040The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71975SV-86599CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-71975SV-86599CCI-001744Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. -The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. +The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. # more /etc/cron.daily/aide @@ -1049,7 +1049,7 @@ Note: A file integrity tool other than Advanced Intrusion Detection Environment Check for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence. Check the cron directories for a "crontab" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: - + # ls -al /etc/cron.* | grep aide -rwxr-xr-x 1 root root 602 Mar 6 20:02 aide @@ -1077,7 +1077,7 @@ Check that yum verifies the signature of packages from a repository prior to ins # grep gpgcheck /etc/yum.conf gpgcheck=1 -If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. +If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. If there is no process to validate certificates that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-07-020060The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -1092,7 +1092,7 @@ Check that yum verifies the signature of local packages prior to install with th # grep localpkg_gpgcheck /etc/yum.conf localpkg_gpgcheck=1 -If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. +If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-07-020100The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.<VulnDiscussion>USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. @@ -1137,7 +1137,7 @@ Add the following line to the created file: install dccp /bin/true -Ensure that the DCCP module is blacklisted: +Ensure that the DCCP module is blacklisted: # vi /etc/modprobe.d/blacklist.conf @@ -1265,7 +1265,7 @@ If the ctrl-alt-del.target is not masked, this is a finding. If the ctrl-alt-del.target is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020231The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-94843SV-104673CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command: -# touch /etc/dconf/db/local.d/00-disable-CAD +# touch /etc/dconf/db/local.d/00-disable-CAD Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface: @@ -1309,7 +1309,7 @@ Current End of Extended Update Support for RHEL 7.7 is 30 August 2021. Current End of Maintenance Support for RHEL 7.9 is 30 June 2024. -If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020260The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86623V-71999CCI-000366Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). +If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020260The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86623V-71999CCI-000366Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. @@ -1319,19 +1319,19 @@ Check that the available package security updates have been installed on the sys Loaded plugins: langpacks, product-id, subscription-manager ID | Command line | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- - 70 | install aide | 2016-05-05 10:58 | Install | 1 + 70 | install aide | 2016-05-05 10:58 | Install | 1 69 | update -y | 2016-05-04 14:34 | Update | 18 EE - 68 | install vlc | 2016-04-21 17:12 | Install | 21 + 68 | install vlc | 2016-04-21 17:12 | Install | 21 67 | update -y | 2016-04-21 17:04 | Update | 7 EE 66 | update -y | 2016-04-15 16:47 | E, I, U | 84 EE -If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. +If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. -If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020270The Red Hat Enterprise Linux operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86625V-72001CCI-000366Configure the system so all accounts on the system are assigned to an active system, application, or user account. +If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020270The Red Hat Enterprise Linux operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86625V-72001CCI-000366Configure the system so all accounts on the system are assigned to an active system, application, or user account. -Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. +Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. Document all authorized accounts on the system.Verify all accounts on the system are assigned to an active system, application, or user account. @@ -1349,7 +1349,7 @@ halt:x:7:0:halt:/sbin:/sbin/halt games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin -Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. +Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-07-020300The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.<VulnDiscussion>If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72003SV-86627CCI-000764Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group".Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file. @@ -1357,7 +1357,7 @@ Check that all referenced GIDs exist with the following command: # pwck -r -If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020310The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86629V-72005CCI-000366Change the UID of any account on the system, other than root, that has a UID of "0". +If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020310The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86629V-72005CCI-000366Change the UID of any account on the system, other than root, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.Check the system for duplicate UID "0" assignments with the following command: @@ -1398,7 +1398,7 @@ In addition, if a local interactive user has a home directory defined that does Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users" assigned in "/etc/passwd". -# mkdir /home/smithj +# mkdir /home/smithj # chown smithj /home/smithj # chgrp users /home/smithj # chmod 0750 /home/smithjVerify local interactive users on the system have a home directory assigned and the directory exists. @@ -1490,7 +1490,7 @@ Note: The example will be for the user "smithj", who has a home directory of "/h If any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command: # grep smithj /etc/group -sa:x:100:juan,shelley,bob,smithj +sa:x:100:juan,shelley,bob,smithj smithj:x:521:smithj If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020680The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.<VulnDiscussion>If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72027SV-86651CCI-000366Set the mode on files and directories in the local interactive user home directory with the following command: @@ -1547,7 +1547,7 @@ Note: The example will be for the smithj user, who has a home directory of "/hom smithj 1000 /home/smithj # grep 1000 /etc/group -users:x:1000:smithj,jonesj,jacksons +users:x:1000:smithj,jonesj,jacksons Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. @@ -1575,7 +1575,7 @@ Note: The example will be for the "smithj" user, who has a home directory of "/h -rwxr----- 1 smithj users 497 Jan 6 2007 .login -rwxr----- 1 smithj users 886 Jan 6 2007 .something -If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020720The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72035SV-86659CCI-000366Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. +If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020720The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72035SV-86659CCI-000366Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the user's home directory. @@ -1637,7 +1637,7 @@ Check the file systems that are mounted at boot time with the following command: # more /etc/fstab UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2 - + If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021010The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86667V-72043CCI-000366Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.Verify file systems that are used for removable media are mounted with the "nosuid" option. Check the file systems that are mounted at boot time with the following command: @@ -1694,11 +1694,11 @@ tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021030The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others. -The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72047SV-86671CCI-000366All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]: +The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72047SV-86671CCI-000366All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]: # find [PART] -xdev -type d -perm -0002 -gid +999 -print -If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021040The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72049SV-86673CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove the umask statement from all local interactive user's initialization files. +If there is output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021040The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.<VulnDiscussion>The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72049SV-86673CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove the umask statement from all local interactive user's initialization files. If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.Verify that the default umask for all local interactive users is "077". @@ -1804,7 +1804,7 @@ Verify that "/var/log/audit" is mounted on a separate file system: If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021340The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86689V-72065CCI-000366Start the "tmp.mount" service with the following command: # systemctl enable tmp.mount - + OR Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point.Verify that a separate file system/partition has been created for "/tmp". @@ -1825,7 +1825,7 @@ Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPO To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. -Configure the operating system to implement DoD-approved encryption by following the steps below: +Configure the operating system to implement DoD-approved encryption by following the steps below: The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key. @@ -1889,7 +1889,7 @@ Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on tra If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: -# cat /proc/sys/crypto/fips_enabled +# cat /proc/sys/crypto/fips_enabled 1 If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding. @@ -1898,11 +1898,11 @@ Verify the file /etc/system-fips exists. # ls -l /etc/system-fips -If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021600The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86693V-72069CCI-000366Configure the file integrity tool to check file and directory ACLs. +If this file does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021600The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86693V-72069CCI-000366Configure the file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify ACLs. -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. +Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: @@ -1913,10 +1913,10 @@ Check the "aide.conf" file to determine if the "acl" rule has been added to the An example rule that includes the "acl" rule is below: All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux - /bin All # apply the custom rule to the files in bin - /sbin All # apply the same custom rule to the files in sbin + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin -If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021610The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86695V-72071CCI-000366Configure the file integrity tool to check file and directory extended attributes. +If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021610The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86695V-72071CCI-000366Configure the file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.Verify the file integrity tool is configured to verify extended attributes. @@ -1930,16 +1930,16 @@ Check the "aide.conf" file to determine if the "xattrs" rule has been added to t An example rule that includes the "xattrs" rule follows: All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux - /bin All # apply the custom rule to the files in bin - /sbin All # apply the same custom rule to the files in sbin + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-021620The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.<VulnDiscussion>File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. -Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86697V-72073CCI-000366Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. +Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86697V-72073CCI-000366Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.Verify the file integrity tool is configured to use FIPS 140-2-approved cryptographic hashes for validating file contents and directories. -Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. +Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: @@ -1948,10 +1948,10 @@ Use the following command to determine if the file is in another location: Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications. An example rule that includes the "sha512" rule follows: - + All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux - /bin All # apply the custom rule to the files in bin - /sbin All # apply the same custom rule to the files in sbin + /bin All # apply the custom rule to the files in bin + /sbin All # apply the same custom rule to the files in sbin If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2-approved cryptographic hashes for validating file contents and directories, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-021700The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.<VulnDiscussion>Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86699V-72075CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.Verify the system is not configured to use a boot loader on removable media. @@ -1962,7 +1962,7 @@ Check for the existence of alternate boot loader configuration files with the fo # find / -name grub.cfg /boot/grub2/grub.cfg -If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. +If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. Check that the grub configuration file has the set root command in each menu entry with the following commands: @@ -1981,7 +1981,7 @@ Examples of non-essential capabilities include, but are not limited to, games, s The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session. -If a privileged user were to log on using this service, the privileged user password could be compromised. +If a privileged user were to log on using this service, the privileged user password could be compromised. Check to see if the telnet-server package is installed with the following command: @@ -2032,7 +2032,7 @@ Kernel log monitoring must also be configured to properly alert designated staff The audit daemon must be restarted for the changes to take effect.Confirm the audit configuration regarding how auditing processing failures are handled. -Check to see what level "auditctl" is set to with following command: +Check to see what level "auditctl" is set to with following command: # auditctl -s | grep -i "fail" failure 2 @@ -2123,7 +2123,7 @@ To determine the remote server that the records are being sent to, use the follo # grep -i remote_server /etc/audisp/audisp-remote.conf remote_server = 10.0.21.1 -If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030310The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -2140,7 +2140,7 @@ To determine if the transfer is encrypted, use the following command: # grep -i enable_krb5 /etc/audisp/audisp-remote.conf enable_krb5 = yes -If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030320The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72087SV-86711CCI-001851Configure the action the operating system takes if the disk the audit records are written to becomes full. @@ -2188,8 +2188,8 @@ space_left = 25% If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030340The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72091SV-86715CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. -Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". - +Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". + space_left_action = emailVerify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command: @@ -2199,8 +2199,8 @@ space_left_action = email If the value of the "space_left_action" keyword is not set to "email", this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>RHEL-07-030350The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.<VulnDiscussion>If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72093SV-86717CCI-001855Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. -Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. - +Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. + action_mail_acct = rootVerify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command: @@ -2427,15 +2427,15 @@ If the command does not return any output, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72145SV-86769CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when unsuccessful account access events occur. +Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72145SV-86769CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when unsuccessful account access events occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -w /var/run/faillock -p wa -k logins -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when unsuccessful account access events occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when unsuccessful account access events occur. -Check the file system rule in "/etc/audit/audit.rules" with the following commands: +Check the file system rule in "/etc/audit/audit.rules" with the following commands: # grep -i /var/run/faillock /etc/audit/audit.rules @@ -2445,19 +2445,19 @@ If the command does not return any output, this is a finding.DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72147SV-86771CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when successful account access events occur. +Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72147SV-86771CCI-000126CCI-000172CCI-002884Configure the operating system to generate audit records when successful account access events occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -w /var/log/lastlog -p wa -k logins -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful account access events occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful account access events occur. -Check the file system rules in "/etc/audit/audit.rules" with the following commands: +Check the file system rules in "/etc/audit/audit.rules" with the following commands: # grep -i /var/log/lastlog /etc/audit/audit.rules --w /var/log/lastlog -p wa -k logins +-w /var/log/lastlog -p wa -k logins If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030630The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -2567,13 +2567,13 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86783V-72159CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/su" /etc/audit/audit.rules @@ -2587,13 +2587,13 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72161SV-86785CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": --a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/sudo" /etc/audit/audit.rules @@ -2611,9 +2611,9 @@ Add or update the following rule in "/etc/audit/rules.d/audit.rules": -w /etc/sudoers.d/ -p wa -k privileged-actions -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. -Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": +Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": # grep -i "/etc/sudoers" /etc/audit/audit.rules @@ -2631,13 +2631,13 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72165SV-86789CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/newgrp" /etc/audit/audit.rules @@ -2651,13 +2651,13 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86791V-72167CCI-000130CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/chsh" /etc/audit/audit.rules @@ -2679,7 +2679,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur. -Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "mount" /etc/audit/audit.rules @@ -2697,17 +2697,17 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72173SV-86797CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur. -Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/umount" /etc/audit/audit.rules --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount If the command does not return any output, this is a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>RHEL-07-030760The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. @@ -2717,13 +2717,13 @@ When a user logs on, the auid is set to the uid of the account that is being aut Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72175SV-86799CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/sbin/postdrop" /etc/audit/audit.rules @@ -2735,15 +2735,15 @@ At a minimum, the organization must audit the full-text recording of privileged When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86801V-72177CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. +Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86801V-72177CCI-000135CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-postfix -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/sbin/postqueue" /etc/audit/audit.rules @@ -2755,15 +2755,15 @@ At a minimum, the organization must audit the full-text recording of privileged When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86803V-72179CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. +Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86803V-72179CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/libexec/openssh/ssh-keysign" /etc/audit/audit.rules @@ -2775,15 +2775,15 @@ At a minimum, the organization must audit the full-text recording of privileged When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86807V-72183CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. +Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86807V-72183CCI-000135CCI-000172CCI-002884Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-cron -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. -Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": +Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "/usr/bin/crontab" /etc/audit/audit.rules @@ -2791,21 +2791,21 @@ $ sudo grep -w "/usr/bin/crontab" /etc/audit/audit.rules If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>RHEL-07-030810The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. -When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72185SV-86809CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. +When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72185SV-86809CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. -Add or update the following rule in "/etc/audit/rules.d/audit.rules": +Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep -w "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules --a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam -If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030819The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030819The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2817,7 +2817,7 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command: @@ -2827,13 +2827,13 @@ $ sudo grep -w "create_module" /etc/audit/audit.rules -a always,exit -F arch=b64 -S create_module -F auid>=1000 -F auid!=unset -k module-change -If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030820The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. +Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72187SV-86811CCI-000172Configure the operating system to generate audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. Add or update the following rules in "/etc/audit/rules.d/audit.rules": @@ -2841,29 +2841,29 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records upon successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. Check the auditing rules in "/etc/audit/audit.rules" with the following command: -$ sudo grep init_module /etc/audit/audit.rules +$ sudo grep init_module /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k modulechange -If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030830The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72189SV-86813CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. +Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72189SV-86813CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. -Add or update the following rules in "/etc/audit/rules.d/audit.rules": +Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module-change -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command: @@ -2873,19 +2873,19 @@ $ sudo grep -w "delete_module" /etc/audit/audit.rules -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module-change -If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030840The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.SRG-OS-000471-GPOS-00216<GroupDescription></GroupDescription>RHEL-07-030840The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way. -Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86815V-72191CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. +Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86815V-72191CCI-000172Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules -The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. +The audit daemon must be restarted for the changes to take effect.Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command: @@ -3010,7 +3010,7 @@ Note: If another logging package is used, substitute the utility configuration f # grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf *.* @@logagg.site.mil -If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-031010The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.<VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service. @@ -3054,15 +3054,15 @@ Check which services are currently active with the following command: # firewall-cmd --list-all public (default, active) interfaces: enp0s3 - sources: + sources: services: dhcpv6-client dns http https ldaps rpc-bind ssh - ports: + ports: masquerade: no - forward-ports: - icmp-blocks: - rich rules: + forward-ports: + icmp-blocks: + rich rules: -Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. +Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-07-040110The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. @@ -3087,7 +3087,7 @@ Inspect the "Ciphers" configuration with the following command: # grep -i ciphers /etc/ssh/sshd_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr -If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040160The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. +If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-07-040160The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. @@ -3195,7 +3195,7 @@ sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago -If the "sssd.service" is "active", then LDAP is being used. +If the "sssd.service" is "active", then LDAP is being used. Determine the "id_provider" the LDAP is currently using: @@ -3227,7 +3227,7 @@ sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago -If the "sssd.service" is "active", then LDAP is being used. +If the "sssd.service" is "active", then LDAP is being used. Determine the "id_provider" the LDAP is currently using: @@ -3296,14 +3296,14 @@ If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or Check that the operating system implements virtual address space randomization with the following command: - # /sbin/sysctl -a | grep kernel.randomize_va_space + # /sbin/sysctl -a | grep kernel.randomize_va_space kernel.randomize_va_space = 2 If "kernel.randomize_va_space" does not have a value of "2", this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040300The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If conflicting results are returned, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040300The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. @@ -3316,9 +3316,9 @@ libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1 openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1 openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1 -If the "SSH server" package is not installed, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040310The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If the "SSH server" package is not installed, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-07-040310The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. -This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. +This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. @@ -3477,7 +3477,7 @@ Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-ap # grep -i macs /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256 -If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040410The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72255SV-86879CCI-000366Note: SSH public key files may be found in other directories on the system depending on the installation. +If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040410The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72255SV-86879CCI-000366Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: @@ -3505,7 +3505,7 @@ The following command will find all SSH private key files on the system and list -rw-r----- 1 root ssh_keys 202 Apr 1 11:59 ssh_host_key -rw-r----- 1 root ssh_keys 352 Apr 1 11:59 ssh_host_rsa_key -If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": +If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-07-040430The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.<VulnDiscussion>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72259SV-86883CCI-000318CCI-000368CCI-001812CCI-001813CCI-001814Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": GSSAPIAuthentication no @@ -3586,7 +3586,7 @@ If NTP was running and "maxpoll" was updated, the NTP service must be restarted: If NTP was not running, it must be started: -# systemctl start ntpd +# systemctl start ntpd If "chronyd" was running and "maxpoll" was updated, the service must be restarted: @@ -3644,9 +3644,9 @@ Check to see if "firewalld" is installed with the following command: # yum list installed firewalld firewalld-0.3.9-11.el7.noarch.rpm -If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. +If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. -If an application firewall is not installed, this is a finding. +If an application firewall is not installed, this is a finding. Check to see if the firewall is loaded and active with the following command: @@ -3656,14 +3656,14 @@ firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago -If "firewalld" does not show a status of "loaded" and "active", this is a finding. +If "firewalld" does not show a status of "loaded" and "active", this is a finding. Check the state of the firewall: -# firewall-cmd --state +# firewall-cmd --state running -If "firewalld" does not show a state of "running", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040530The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86899V-72275CCI-000052Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". +If "firewalld" does not show a state of "running", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040530The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86899V-72275CCI-000052Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". Add the following line to the top of "/etc/pam.d/postlogin": @@ -3732,10 +3732,10 @@ Verify that the "/etc/resolv.conf" file is immutable with the following command: If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040610The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72283SV-86907CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.all.accept_source_route = 0 Issue the following command to make the changes take effect: - + # sysctl -systemVerify the system does not accept IPv4 source-routed packets. # grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null @@ -3752,7 +3752,7 @@ If the returned line does not have a value of "0", this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040611The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92251SV-102353CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.all.rp_filter = 1 Issue the following command to make the changes take effect: @@ -3772,7 +3772,7 @@ If the returned line does not have a value of "1", this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040612The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92253SV-102355CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.default.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 Issue the following command to make the changes take effect: @@ -3792,10 +3792,10 @@ If the returned line does not have a value of "1", this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040620The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72285SV-86909CCI-000366Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.default.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 Issue the following command to make the changes take effect: - + # sysctl --systemVerify the system does not accept IPv4 source-routed packets by default. # grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null @@ -3814,7 +3814,7 @@ If conflicting results are returned, this is a finding.< net.ipv4.icmp_echo_ignore_broadcasts = 1 -Issue the following command to make the changes take effect: +Issue the following command to make the changes take effect: # sysctl --systemVerify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. @@ -3831,7 +3831,7 @@ If the returned line does not have a value of "1", this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040640The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86913V-72289CCI-000366Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.default.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 Issue the following command to make the changes take effect: @@ -3850,7 +3850,7 @@ If the returned line does not have a value of "0", this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040641The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-87827V-73175CCI-000366Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): - net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.all.accept_redirects = 0 Issue the following command to make the changes take effect: @@ -3867,7 +3867,7 @@ Check that the operating system implements the "accept_redirects" variables with If the returned line does not have a value of "0", this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040650The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72291SV-86915CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040650The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72291SV-86915CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): @@ -3884,11 +3884,11 @@ If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl. Check that the operating system implements the "default send_redirects" variables with the following command: # /sbin/sysctl -a | grep net.ipv4.conf.default.send_redirects - net.ipv4.conf.default.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 If the returned line does not have a value of "0", this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040660The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72293SV-86917CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040660The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72293SV-86917CCI-000366Configure the system to not allow interfaces to perform IPv4 ICMP redirects. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): @@ -3928,7 +3928,7 @@ If network interfaces are found on the system in promiscuous mode and their use Determine if "postfix" is installed with the following commands: # yum list installed postfix -postfix-2.6.6-6.el7.x86_64.rpm +postfix-2.6.6-6.el7.x86_64.rpm If postfix is not installed, this is Not Applicable. @@ -3981,7 +3981,7 @@ tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms If a TFTP server is not installed, this is Not Applicable. -If a TFTP server is installed, check for the server arguments with the following command: +If a TFTP server is installed, check for the server arguments with the following command: # grep server_args /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot @@ -4028,7 +4028,7 @@ Check that the operating system does not implement IP forwarding using the follo If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040750The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86935V-72311CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. +If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040750The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.<VulnDiscussion>When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86935V-72311CCI-000366Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. Ensure the "sec" option is defined as "krb5:krb5i:krb5p".Verify "AUTH_GSS" is being used to authenticate NFS mounts. @@ -4051,9 +4051,9 @@ If the file does exist, check for the default community strings with the followi # grep public /etc/snmp/snmpd.conf # grep private /etc/snmp/snmpd.conf -If either of these commands returns any output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040810The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.<VulnDiscussion>If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86939V-72315CCI-000366If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. +If either of these commands returns any output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040810The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.<VulnDiscussion>If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899SV-86939V-72315CCI-000366If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. -If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. +If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. Verify the system's access control program is configured to grant or deny system access to specific hosts. @@ -4110,7 +4110,7 @@ If the "IPsec" service is active, check to see if any tunnels are configured in # grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf -If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. +If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040830The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-72319SV-86943CCI-000366Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): @@ -4197,7 +4197,7 @@ cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; -There should be at least three lines returned. +There should be at least three lines returned. If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>RHEL-07-041010The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.<VulnDiscussion>The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-73177SV-87829CCI-001443CCI-001444CCI-002418Configure the system to disable all wireless network interfaces with the following command: @@ -4233,7 +4233,7 @@ Note: System configuration files (indicated by a "c" in the second column) are e # rpm -Va --noconfig | grep '^..5' -If there is any output from the command for system files or binaries, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020019The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92255SV-102357CCI-001263CCI-000366Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. +If there is any output from the command for system files or binaries, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-020019The Red Hat Enterprise Linux operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-92255SV-102357CCI-001263CCI-000366Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. Procedure: Check that the following package has been installed: @@ -4246,7 +4246,7 @@ Verify that the daemon is running: # ps -ef | grep -i mfetpd -If the daemon is not running, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-032000The Red Hat Enterprise Linux operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. +If the daemon is not running, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-032000The Red Hat Enterprise Linux operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. @@ -4258,7 +4258,7 @@ The session lock is implemented at the point where session activity can be deter The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899V-78995SV-93701CCI-000057Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. @@ -4266,7 +4266,7 @@ Note: The example below is using the database "local" for the system, so if the Add the setting to lock the screensaver lock-enabled setting: - /org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. + /org/gnome/desktop/screensaver/lock-enabledVerify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not Applicable. @@ -4287,7 +4287,7 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. -Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following: +Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following: [org/gnome/desktop/media-handling] @@ -4345,23 +4345,23 @@ To ensure the veracity of audit information, the operating system must protect a Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000162CCI-000163CCI-000164CCI-001314Change the mode of the audit log files with the following command: +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000162CCI-000163CCI-000164CCI-001314Change the mode of the audit log files with the following command: # chmod 0600 [audit_file] -Change the owner and group owner of the audit log files with the following command: +Change the owner and group owner of the audit log files with the following command: # chown root:root [audit_file]Verify the operating system audit records have proper permissions and ownership. List the full permissions and ownership of the audit log files with the following command. -# ls -la /var/log/audit +# ls -la /var/log/audit total 4512 drwx------. 2 root root 23 Apr 25 16:53 . drwxr-xr-x. 17 root root 4096 Aug 9 13:09 .. -rw-------. 1 root root 8675309 Aug 9 12:54 audit.log -Audit logs must be mode 0600 or less permissive. +Audit logs must be mode 0600 or less permissive. If any are more permissive, this is a finding. The owner and group owner of all audit log files must both be "root". If any other owner or group owner is listed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-040711The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.<VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000366Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. @@ -4382,13 +4382,13 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-07-010342The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /etc/sudoers /etc/sudoers.d/Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. @@ -4401,7 +4401,7 @@ Remove any configurations that conflict with the above from the following locati If conflicting results are returned, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. -If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010343The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. @@ -4483,7 +4483,7 @@ SELinuxUser LabelingPrefix MLS/MCSLevel MLS/MCSRange SELinuxRoles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r -sysadm_u user s0 s0-s0:c0.c1023 sysadm_r +sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r @@ -4517,7 +4517,7 @@ $ sudo visudo -f /etc/sudoers.d/<customfile> Use the following example to build the <customfile> in the /etc/sudoers.d directory to allow any administrator belonging to a designated sudoers admin group to elevate their SELinux context with the use of the sudo command: %wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /etc/sudoers /etc/sudoers.d/Verify the operating system elevates the SELinux context when an administrator calls the sudo command with the following command: @@ -4559,7 +4559,7 @@ Verify the operating system does not have nested "include" files or directories $ sudo grep -r include /etc/sudoers.d -If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010344The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-07-010344The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. @@ -4603,7 +4603,7 @@ Check that the AIDE package is installed with the following command: aide-0.15.1-13.el7.x86_64 -If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. +If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding. @@ -4635,7 +4635,7 @@ Restart the "sshd" service for changes to take effect: $ sudo grep -i kexalgorithms /etc/ssh/sshd_config KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 - + If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-07-010090The Red Hat Enterprise Linux operating system must have the screen package installed.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The screen and tmux packages allow for a session lock to be implemented and configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 7DISADPMS TargetRed Hat Enterprise Linux 72899CCI-000057Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity. @@ -4666,7 +4666,7 @@ Set the system to the required kernel parameter by adding or modifying the follo kernel.dmesg_restrict = 1 -Remove any configurations that conflict with the above from the following locations: +Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/ /etc/sysctl.d/ /usr/local/lib/sysctl.d/ @@ -4696,12 +4696,12 @@ If conflicting results are returned, this is a finding.< Rename the existing configuration files (skip this step if symbolic links are already present): $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac - + Create custom system-auth configuration file: $ sudo vi /etc/pam.d/system-auth-local - + The new file, at minimum, must contain the following lines: - + auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 auth include system-auth-ac auth sufficient pam_unix.so try_first_pass @@ -4718,7 +4718,7 @@ session include system-auth-ac Create custom password-auth configuration file: $ sudo vi /etc/pam.d/password-auth-local - + The new file, at minimum, must contain the following lines: auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 @@ -4734,7 +4734,7 @@ password include password-auth-ac password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok session include password-auth-ac - + Create new or move existing symbolic links to the new custom configuration files: $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth @@ -4756,7 +4756,7 @@ Note: With this solution in place any custom settings to "system-auth" and "pass lrwxrwxrwx. 1 root root 30 Apr 1 11:59 /etc/pam.d/password-auth -> /etc/pam.d/password-auth-local lrwxrwxrwx. 1 root root 28 Apr 1 11:59 /etc/pam.d/system-auth -> /etc/pam.d/system-auth-local - + If system-auth and password-auth files are not symbolic links, this is a finding. -If system-auth and password-auth are symbolic links but do not point to "system-auth-local" and "password-auth-local", this is a finding. \ No newline at end of file +If system-auth and password-auth are symbolic links but do not point to "system-auth-local" and "password-auth-local", this is a finding. diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml index f11ea09..994d04b 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml @@ -142,9 +142,6 @@ rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true' rhel8STIG_stigrule_230348_Manage: True rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock' -# R-230349 RHEL-08-020041 -rhel8STIG_stigrule_230349_Manage: True -rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' # R-230352 RHEL-08-020060 rhel8STIG_stigrule_230352_Manage: True rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900' @@ -232,9 +229,6 @@ rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname' # R-230395 RHEL-08-030063 rhel8STIG_stigrule_230395_Manage: True rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED' -# R-230396 RHEL-08-030070 -rhel8STIG_stigrule_230396_Manage: True -rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root' # R-230398 RHEL-08-030090 # A duplicate of 230396 # duplicate of 230396 @@ -569,3 +563,6 @@ rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0 # R-244554 RHEL-08-040286 rhel8STIG_stigrule_244554_Manage: True rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2' +# R-256974 RHEL-08-010358 +rhel8STIG_stigrule_256974_Manage: True +rhel8STIG_stigrule_256974_mailx_State: installed diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml similarity index 84% rename from collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml rename to collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml index 52e9e3d..78a900c 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 9 Benchmark Date: 26 Jan 20233.4.0.342221.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. +acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 13 Benchmark Date: 24 Jan 20243.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN22-00-000010Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.<VulnDiscussion>Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Windows Server 2022DISADPMS TargetMicrosoft Windows Server 20225485CCI-000366Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. +acceptedMicrosoft Windows Server 2022 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 09 Sep 20223.4.0.342221.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription> + + + +{% for report in reports %} + + + +{% endfor %} + +
+
+

+
+ 		+ {{ report }} +
+

Created with


+
+ + + + diff --git a/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/new.css.j2 b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/new.css.j2 new file mode 100644 index 0000000..2340b05 --- /dev/null +++ b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/new.css.j2 @@ -0,0 +1,202 @@ +p.hostname { + color: #000000; + font-weight: bolder; + font-size: large; + margin: auto; + width: 50%; + } + + #subtable { + background: #ebebeb; + margin: 0px; + width: 100%; + } + + #subtable tbody tr td { + padding: 5px 5px 5px 5px; + } + + #subtable thead th { + padding: 5px; + } + + * { + -moz-box-sizing: border-box; + -webkit-box-sizing: border-box; + box-sizing: border-box; + font-family: "Open Sans", "Helvetica"; + + } + + a { + color: #000000; + } + + p { + color: #ffffff; + } + h1 { + text-align: center; + color: #ffffff; + } + + body { + background:#353a40; + padding: 0px; + margin: 0px; + font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; + } + + table { + border-collapse: separate; + background:#fff; + @include border-radius(5px); + @include box-shadow(0px 0px 5px rgba(0,0,0,0.3)); + } + + .main_net_table { + margin:50px auto; + } + + thead { + @include border-radius(5px); + } + + thead th { + font-size:16px; + font-weight:400; + color:#fff; + @include text-shadow(1px 1px 0px rgba(0,0,0,0.5)); + text-align:left; + padding:20px; + border-top:1px solid #858d99; + background: #353a40; + + &:first-child { + @include border-top-left-radius(5px); + } + + &:last-child { + @include border-top-right-radius(5px); + } + } + + tbody tr td { + font-weight:400; + color:#5f6062; + font-size:13px; + padding:20px 20px 20px 20px; + border-bottom:1px solid #e0e0e0; + } + + tbody tr:nth-child(2n) { + background:#f0f3f5; + } + + tbody tr:last-child td { + border-bottom:none; + &:first-child { + @include border-bottom-left-radius(5px); + } + &:last-child { + @include border-bottom-right-radius(5px); + } + } + + td { + vertical-align: top; + } + + span.highlight { + background-color: yellow; + } + + .expandclass { + color: #5f6062; + } + + .content{ + display:none; + margin: 10px; + } + + header { + width: 100%; + position: initial; + float: initial; + padding: 0; + margin: 0; + border-radius: 0; + height: 88px; + background-color: #171717; + } + + .header-container { + margin: 0 auto; + width: 100%; + height: 100%; + max-width: 1170px; + padding: 0; + float: initial; + display: flex; + align-items: center; + } + + .header-logo { + width: 137px; + border: 0; + margin: 0; + margin-left: 15px; + } + + .header-link { + margin-left: 40px; + text-decoration: none; + cursor: pointer; + text-transform: uppercase; + font-size: 15px; + font-family: 'Red Hat Text'; + font-weight: 500; + } + + .header-link:hover { + text-shadow: 0 0 0.02px white; + text-decoration: none; + } + + table.net_info td { + padding: 5px; +} + +p.expandclass:hover { + text-decoration: underline; + color: #EE0000; + cursor: pointer; +} + +.summary_info { +} + +.ui-state-active, .ui-widget-content .ui-state-active, .ui-widget-header .ui-state-active, a.ui-button:active, .ui-button:active, .ui-button.ui-state-active:hover { + border: 1px solid #5F0000; + background: #EE0000; +} + +div#net_content { + padding: 0px; + height: auto !important; +} + +img.router_image { + vertical-align: middle; + padding: 0px 10px 10px 10px; + width: 50px; +} + +table.net_info { + width: 100%; +} + +p.internal_label { + color: #000000; +} diff --git a/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/packages.j2 b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/packages.j2 new file mode 100644 index 0000000..63b73e0 --- /dev/null +++ b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/packages.j2 @@ -0,0 +1,31 @@ + +
+
+ + +
+
+ diff --git a/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/patch.j2 b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/patch.j2 new file mode 100644 index 0000000..1d7a840 --- /dev/null +++ b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/patch.j2 @@ -0,0 +1,120 @@ + + + + Linux Patch Report + + +
+

Ansible Linux Patching Report

+ +
+ + +
+
+ + + + + + + + + + +{% for linux_host in ansible_play_hosts |sort %} + + + + + + +{% endfor %} + +
HostnameOperating SystemOperating System VersionRequired Updates
{{hostvars[linux_host]['inventory_hostname']}}{{hostvars[linux_host]['ansible_os_family']|default("none")}}{{hostvars[linux_host]['ansible_distribution_version']|default("none")}} +
    +{% if hostvars[linux_host].patchingresult_yum.changed|default("false",true) == true %} +{% for packagename in hostvars[linux_host].patchingresult_yum.changes.updated|sort %} +
  • {{ packagename[0] }} - {{ packagename[1] }}
    • +{% endfor %} +{% elif hostvars[linux_host].patchingresult_dnf.changed|default("false",true) == true %} +{% for packagename in hostvars[linux_host].patchingresult_dnf.results|sort %} +
  • {{ packagename }}
    • +{% endfor %} +{% elif hostvars[linux_host].patchingresult_dnf.changed is undefined %} +
  • Patching Failed
    • +{% elif hostvars[linux_host].patchingresult_yum.changed is undefined %} +
  • Patching Failed
    • +{% else %} +
  • Compliant
    • +{% endif %} +
+
+

Created with Ansible on {{hostvars[inventory_hostname].ansible_date_time.iso8601}}

+ + + diff --git a/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/report.j2 b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/report.j2 new file mode 100644 index 0000000..07c9972 --- /dev/null +++ b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/report.j2 @@ -0,0 +1,105 @@ + + + + Ansible Linux Automation Report + + + + + + + + + + + +
+ {% include 'header.j2' %} +
+
+

Ansible Linux Automation Report

+

+

+ + + + + + + + + + + +{% for linux_host in ansible_play_hosts |sort %} + + + + + + + +{% endfor %} + +
Linux DevicePackage ManagerOperating SystemOperating System VersionOperating System Kernel Version
+
+

+ {{ hostvars[linux_host]['inventory_hostname'].split('.')[0] }}

+
+{% if detailedreport == 'True' %} +{% include 'packages.j2' %} +{% include 'services.j2' %} +{% endif %} +		{{hostvars[linux_host]['ansible_pkg_mgr']|default("none")}}{{hostvars[linux_host]['ansible_os_family']|default("none")}}{{hostvars[linux_host]['ansible_distribution_version']|default("none")}}{{hostvars[linux_host]['ansible_kernel']|default("none")}}
+

Created with


+
+
+
+ + diff --git a/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/resources.yaml.j2 b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/resources.yaml.j2 new file mode 100644 index 0000000..a3ef6bd --- /dev/null +++ b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/resources.yaml.j2 @@ -0,0 +1,94 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: linux-patching-report + labels: + app: linux-patching-report +data: + index.html: | + {% filter indent(width=4) %} + {%- include 'landing.j2' %} + {% endfilter %} + + linux.html: | + {% filter indent(width=4) %} + {%- include 'report.j2' %} + {% endfilter %} + + linuxpatch.html: | + {% filter indent(width=4) %} + {%- include 'patch.j2' %} + {% endfilter %} + + new.css: | + {% filter indent(width=4) %} + {%- include 'new.css.j2' %} + {% endfilter %} + +binaryData: + server.png: {{ lookup('ansible.builtin.file', 'server.png') | b64encode }} + report.png: {{ lookup('ansible.builtin.file', 'report.png') | b64encode }} + webpage_logo.png: {{ lookup('file', 'webpage_logo.png') | b64encode }} + redhat-ansible-logo.svg: {{ lookup('ansible.builtin.file', 'redhat-ansible-logo.svg') | b64encode }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: linux-patching-report + labels: + app: linux-patching-report +spec: + replicas: 1 + selector: + matchLabels: + app: linux-patching-report + template: + metadata: + labels: + app: linux-patching-report + spec: + terminationGracePeriodSeconds: 1 + containers: + - image: registry.redhat.io/rhel8/httpd-24 + name: report-server + volumeMounts: + - name: html + mountPath: /var/www/html + volumes: + - name: html + configMap: + name: linux-patching-report +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: linux-patching-report + name: linux-patching-report +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: linux-patching-report + type: ClusterIP +--- +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + labels: + app: linux-patching-report + name: linux-patching-report +spec: + to: + kind: Service + name: linux-patching-report + weight: 100 + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect diff --git a/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/services.j2 b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/services.j2 new file mode 100644 index 0000000..0a8daa6 --- /dev/null +++ b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/templates/services.j2 @@ -0,0 +1,30 @@ + +
+
+ + +
+
+ diff --git a/collections/ansible_collections/demo/patching/roles/report_ocp_patching/vars/main.yml b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/vars/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/collections/ansible_collections/demo/patching/roles/report_ocp_patching/vars/main.yml @@ -0,0 +1 @@ +--- diff --git a/collections/ansible_collections/demo/patching/roles/report_server/files/css/new.css b/collections/ansible_collections/demo/patching/roles/report_server/files/css/new.css index 3266a46..2340b05 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/files/css/new.css +++ b/collections/ansible_collections/demo/patching/roles/report_server/files/css/new.css @@ -5,33 +5,33 @@ p.hostname { margin: auto; width: 50%; } - + #subtable { background: #ebebeb; margin: 0px; width: 100%; } - + #subtable tbody tr td { padding: 5px 5px 5px 5px; } - + #subtable thead th { padding: 5px; } - + * { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; font-family: "Open Sans", "Helvetica"; - + } - + a { color: #000000; } - + p { color: #ffffff; } @@ -39,14 +39,14 @@ p.hostname { text-align: center; color: #ffffff; } - + body { background:#353a40; padding: 0px; margin: 0px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; } - + table { border-collapse: separate; background:#fff; @@ -57,11 +57,11 @@ p.hostname { .main_net_table { margin:50px auto; } - + thead { @include border-radius(5px); } - + thead th { font-size:16px; font-weight:400; @@ -71,16 +71,16 @@ p.hostname { padding:20px; border-top:1px solid #858d99; background: #353a40; - + &:first-child { @include border-top-left-radius(5px); } - + &:last-child { @include border-top-right-radius(5px); } } - + tbody tr td { font-weight:400; color:#5f6062; @@ -88,11 +88,11 @@ p.hostname { padding:20px 20px 20px 20px; border-bottom:1px solid #e0e0e0; } - + tbody tr:nth-child(2n) { background:#f0f3f5; } - + tbody tr:last-child td { border-bottom:none; &:first-child { @@ -102,7 +102,7 @@ p.hostname { @include border-bottom-right-radius(5px); } } - + td { vertical-align: top; } @@ -110,16 +110,16 @@ p.hostname { span.highlight { background-color: yellow; } - + .expandclass { color: #5f6062; } - + .content{ display:none; margin: 10px; } - + header { width: 100%; position: initial; @@ -130,7 +130,7 @@ p.hostname { height: 88px; background-color: #171717; } - + .header-container { margin: 0 auto; width: 100%; @@ -141,14 +141,14 @@ p.hostname { display: flex; align-items: center; } - + .header-logo { width: 137px; border: 0; margin: 0; margin-left: 15px; } - + .header-link { margin-left: 40px; text-decoration: none; @@ -158,12 +158,12 @@ p.hostname { font-family: 'Red Hat Text'; font-weight: 500; } - + .header-link:hover { text-shadow: 0 0 0.02px white; text-decoration: none; } - + table.net_info td { padding: 5px; } diff --git a/collections/ansible_collections/demo/patching/roles/report_server/templates/header.j2 b/collections/ansible_collections/demo/patching/roles/report_server/templates/header.j2 index 6d504d0..7a7a7dd 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/templates/header.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_server/templates/header.j2 @@ -1,5 +1,5 @@ - +
@@ -12,4 +12,4 @@ />
-
\ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_server/templates/linux_report.j2 b/collections/ansible_collections/demo/patching/roles/report_server/templates/linux_report.j2 index 201d930..9d60470 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/templates/linux_report.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_server/templates/linux_report.j2 @@ -26,10 +26,10 @@

-
+
- {{ page }} + {{ page }} {% endfor %} diff --git a/collections/ansible_collections/demo/patching/roles/report_server/templates/windows_report.j2 b/collections/ansible_collections/demo/patching/roles/report_server/templates/windows_report.j2 index 5690437..5feb509 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/templates/windows_report.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_server/templates/windows_report.j2 @@ -26,10 +26,10 @@

-
+ - {{ page }} + {{ page }} {% endfor %} diff --git a/collections/ansible_collections/demo/patching/roles/report_server/vars/Linux.yml b/collections/ansible_collections/demo/patching/roles/report_server/vars/Linux.yml index b4d3573..fa9d681 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/vars/Linux.yml +++ b/collections/ansible_collections/demo/patching/roles/report_server/vars/Linux.yml @@ -1,3 +1,3 @@ --- -doc_root: /var/www/html -reports_dir: reports +doc_root: /var/www/html # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +reports_dir: reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_server/vars/Win32NT.yml b/collections/ansible_collections/demo/patching/roles/report_server/vars/Win32NT.yml index ac4e675..59bb2e2 100644 --- a/collections/ansible_collections/demo/patching/roles/report_server/vars/Win32NT.yml +++ b/collections/ansible_collections/demo/patching/roles/report_server/vars/Win32NT.yml @@ -1,3 +1,3 @@ --- -doc_root: C:\Inetpub\wwwroot -reports_dir: reports +doc_root: C:\Inetpub\wwwroot # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +reports_dir: reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/README.md b/collections/ansible_collections/demo/patching/roles/report_windows/README.md index 93d6df4..4e6f320 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/README.md +++ b/collections/ansible_collections/demo/patching/roles/report_windows/README.md @@ -32,5 +32,5 @@ The role can be used to create an html report on any number of Linux hosts using - name: Run Windows Report import_role: name: shadowman.reports.build_report_windows - -``` \ No newline at end of file + +``` diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/defaults/main.yml b/collections/ansible_collections/demo/patching/roles/report_windows/defaults/main.yml index 667052d..8b5e818 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/defaults/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_windows/defaults/main.yml @@ -1,2 +1,2 @@ --- -detailedreport: true +detailedreport: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/files/css/new.css b/collections/ansible_collections/demo/patching/roles/report_windows/files/css/new.css index f58d18f..afa6382 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/files/css/new.css +++ b/collections/ansible_collections/demo/patching/roles/report_windows/files/css/new.css @@ -5,33 +5,33 @@ p.hostname { margin: auto; width: 50%; } - + #subtable { background: #ebebeb; margin: 0px; width: 100%; } - + #subtable tbody tr td { padding: 5px 5px 5px 5px; } - + #subtable thead th { padding: 5px; } - + * { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; font-family: "Open Sans", "Helvetica"; - + } - + a { color: #ffffff; } - + p { color: #ffffff; } @@ -39,14 +39,14 @@ p.hostname { text-align: center; color: #ffffff; } - + body { background:#353a40; padding: 0px; margin: 0px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; } - + table { border-collapse: separate; background:#fff; @@ -57,11 +57,11 @@ p.hostname { .main_net_table { margin:50px auto; } - + thead { @include border-radius(5px); } - + thead th { font-size:16px; font-weight:400; @@ -71,16 +71,16 @@ p.hostname { padding:20px; border-top:1px solid #858d99; background: #353a40; - + &:first-child { @include border-top-left-radius(5px); } - + &:last-child { @include border-top-right-radius(5px); } } - + tbody tr td { font-weight:400; color:#5f6062; @@ -88,11 +88,11 @@ p.hostname { padding:20px 20px 20px 20px; border-bottom:1px solid #e0e0e0; } - + tbody tr:nth-child(2n) { background:#f0f3f5; } - + tbody tr:last-child td { border-bottom:none; &:first-child { @@ -102,7 +102,7 @@ p.hostname { @include border-bottom-right-radius(5px); } } - + td { vertical-align: top; } @@ -110,16 +110,16 @@ p.hostname { span.highlight { background-color: yellow; } - + .expandclass { color: #5f6062; } - + .content{ display:none; margin: 10px; } - + header { width: 100%; position: initial; @@ -130,7 +130,7 @@ p.hostname { height: 88px; background-color: #171717; } - + .header-container { margin: 0 auto; width: 100%; @@ -141,14 +141,14 @@ p.hostname { display: flex; align-items: center; } - + .header-logo { width: 137px; border: 0; margin: 0; margin-left: 15px; } - + .header-link { margin-left: 40px; text-decoration: none; @@ -158,12 +158,12 @@ p.hostname { font-family: 'Red Hat Text'; font-weight: 500; } - + .header-link:hover { text-shadow: 0 0 0.02px white; text-decoration: none; } - + table.net_info td { padding: 5px; } @@ -199,4 +199,4 @@ table.net_info { p.internal_label { color: #000000; -} \ No newline at end of file +} diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/templates/header.j2 b/collections/ansible_collections/demo/patching/roles/report_windows/templates/header.j2 index 6d504d0..7a7a7dd 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/templates/header.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_windows/templates/header.j2 @@ -1,5 +1,5 @@ - +
@@ -12,4 +12,4 @@ />
-
\ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/templates/packages.j2 b/collections/ansible_collections/demo/patching/roles/report_windows/templates/packages.j2 index f290897..8d64895 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/templates/packages.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_windows/templates/packages.j2 @@ -26,4 +26,4 @@
- \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/templates/report.j2 b/collections/ansible_collections/demo/patching/roles/report_windows/templates/report.j2 index 7b9ada5..f3d6962 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/templates/report.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_windows/templates/report.j2 @@ -79,7 +79,7 @@ collapsible: true
-

+

{{ hostvars[windows_host]['inventory_hostname'].split('.')[0] }}

{% if detailedreport == 'True' %} diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/templates/services.j2 b/collections/ansible_collections/demo/patching/roles/report_windows/templates/services.j2 index b443161..9b77a0d 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/templates/services.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_windows/templates/services.j2 @@ -26,4 +26,4 @@ - \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_windows/vars/main.yml b/collections/ansible_collections/demo/patching/roles/report_windows/vars/main.yml index 4c3fa14..fbc2370 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows/vars/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_windows/vars/main.yml @@ -1,2 +1,2 @@ --- -file_path: C:\Inetpub\wwwroot\reports +file_path: C:\Inetpub\wwwroot\reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_windows_patching/README.md b/collections/ansible_collections/demo/patching/roles/report_windows_patching/README.md index dec8155..b0e1104 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows_patching/README.md +++ b/collections/ansible_collections/demo/patching/roles/report_windows_patching/README.md @@ -32,5 +32,5 @@ The role can be used to create an html patching report on any number of Linux ho - name: Run Windows Patch Report import_role: name: shadowman.reports.build_report_windows_patch - -``` \ No newline at end of file + +``` diff --git a/collections/ansible_collections/demo/patching/roles/report_windows_patching/defaults/main.yml b/collections/ansible_collections/demo/patching/roles/report_windows_patching/defaults/main.yml index 8aa09a6..19e0bed 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows_patching/defaults/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_windows_patching/defaults/main.yml @@ -1,4 +1,4 @@ --- -email_from: tower@shadowman.dev -to_emails: alex@shadowman.dev,tower@shadowman.dev -to_emails_list: "{{ to_emails.split(',') }}" +email_from: tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +to_emails: alex@shadowman.dev,tower@shadowman.dev # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +to_emails_list: "{{ to_emails.split(',') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/patching/roles/report_windows_patching/files/css/main.css b/collections/ansible_collections/demo/patching/roles/report_windows_patching/files/css/main.css index dfeb435..edbd140 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows_patching/files/css/main.css +++ b/collections/ansible_collections/demo/patching/roles/report_windows_patching/files/css/main.css @@ -3,32 +3,32 @@ p.hostname { font-weight: bolder; font-size: large; } - + #subtable { background: #ebebeb; margin: 0px; } - + #subtable tbody tr td { padding: 5px 5px 5px 5px; } - + #subtable thead th { padding: 5px; } - + * { -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; font-family: "Open Sans", "Helvetica"; - + } - + a { color: #ffffff; } - + p { color: #ffffff; } @@ -36,11 +36,11 @@ p.hostname { text-align: center; color: #ffffff; } - + body { background:#353a40; } - + table { border-collapse: separate; background:#fff; @@ -48,11 +48,11 @@ p.hostname { margin:50px auto; @include box-shadow(0px 0px 5px rgba(0,0,0,0.3)); } - + thead { @include border-radius(5px); } - + thead th { font-family: 'Patua One', monospace; font-size:16px; @@ -63,16 +63,16 @@ p.hostname { padding:20px; border-top:1px solid #858d99; background: #353a40; - + &:first-child { @include border-top-left-radius(5px); } - + &:last-child { @include border-top-right-radius(5px); } } - + tbody tr td { font-family: 'Open Sans', sans-serif; font-weight:400; @@ -80,13 +80,13 @@ p.hostname { font-size:13px; padding:20px 20px 20px 20px; border-bottom:1px solid #e0e0e0; - + } - + tbody tr:nth-child(2n) { background:#f0f3f5; } - + tbody tr:last-child td { border-bottom:none; &:first-child { @@ -96,16 +96,16 @@ p.hostname { @include border-bottom-right-radius(5px); } } - + span.highlight { background-color: yellow; } - + .expandclass { color: #5f6062; } - + .content{ display:none; margin: 10px; - } \ No newline at end of file + } diff --git a/collections/ansible_collections/demo/patching/roles/report_windows_patching/templates/report.j2 b/collections/ansible_collections/demo/patching/roles/report_windows_patching/templates/report.j2 index 3da03ec..825f370 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows_patching/templates/report.j2 +++ b/collections/ansible_collections/demo/patching/roles/report_windows_patching/templates/report.j2 @@ -110,4 +110,4 @@ function downloadCSVFile(csv_data) { } - \ No newline at end of file + diff --git a/collections/ansible_collections/demo/patching/roles/report_windows_patching/vars/main.yml b/collections/ansible_collections/demo/patching/roles/report_windows_patching/vars/main.yml index 4c3fa14..6ec950a 100644 --- a/collections/ansible_collections/demo/patching/roles/report_windows_patching/vars/main.yml +++ b/collections/ansible_collections/demo/patching/roles/report_windows_patching/vars/main.yml @@ -1,2 +1,2 @@ --- -file_path: C:\Inetpub\wwwroot\reports +file_path: C:\Inetpub\wwwroot\reports # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/satellite/roles/register_host/defaults/main.yml b/collections/ansible_collections/demo/satellite/roles/register_host/defaults/main.yml index d2bf1af..b42aa2f 100644 --- a/collections/ansible_collections/demo/satellite/roles/register_host/defaults/main.yml +++ b/collections/ansible_collections/demo/satellite/roles/register_host/defaults/main.yml @@ -1,5 +1,5 @@ --- -instance_name: "{{ inventory_hostname | regex_replace('_', '-') }}" -activation_key: "{{ 'RHEL' + ansible_distribution_major_version + '_' + env }}" -rex_user: root # "{{ ansible_user }}" -force_register: true +instance_name: "{{ inventory_hostname | regex_replace('_', '-') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +activation_key: "{{ 'RHEL' + ansible_distribution_major_version + '_' + env }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +rex_user: root # "{{ ansible_user }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +force_register: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat7.yml b/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat7.yml index 07c3a0e..4f1e0d2 100644 --- a/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat7.yml +++ b/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat7.yml @@ -1,4 +1,4 @@ --- -rhsm_enabled_repos: +rhsm_enabled_repos: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way - rhel-7-server-rpms # - rhel-7-server-satellite-maintenance-6.11-rpms diff --git a/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat8.yml b/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat8.yml index eb20ab3..9d48927 100644 --- a/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat8.yml +++ b/collections/ansible_collections/demo/satellite/roles/register_host/vars/RedHat8.yml @@ -1,5 +1,5 @@ --- -rhsm_enabled_repos: +rhsm_enabled_repos: # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way - rhel-8-for-x86_64-baseos-rpms - rhel-8-for-x86_64-appstream-rpms - satellite-client-6-for-rhel-8-x86_64-rpms diff --git a/collections/ansible_collections/demo/satellite/roles/scap_client/defaults/main.yaml b/collections/ansible_collections/demo/satellite/roles/scap_client/defaults/main.yaml index 343df82..029a600 100644 --- a/collections/ansible_collections/demo/satellite/roles/scap_client/defaults/main.yaml +++ b/collections/ansible_collections/demo/satellite/roles/scap_client/defaults/main.yaml @@ -1,13 +1,13 @@ --- -foreman_server_url: "{{ lookup('env', 'SATELLITE_SERVER') }}" -foreman_username: "{{ lookup('env', 'SATELLITE_USERNAME') }}" -foreman_password: "{{ lookup('env', 'SATELLITE_PASSWORD') }}" -foreman_validate_certs: "{{ lookup('env', 'FOREMAN_VALIDATE_CERTS') | default(true) }}" -capsule_server: "{{ foreman_server_url }}" -capsule_port: '9090' -policy_name: 'all' -policy_scan: "{{ policy_name }}" -crontab_hour: 2 -crontab_minute: 0 -crontab_weekdays: 0 -foreman_operations_scap_client_secure_logging: true +foreman_server_url: "{{ lookup('env', 'SATELLITE_SERVER') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +foreman_username: "{{ lookup('env', 'SATELLITE_USERNAME') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +foreman_password: "{{ lookup('env', 'SATELLITE_PASSWORD') }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +foreman_validate_certs: "{{ lookup('env', 'FOREMAN_VALIDATE_CERTS') | default(true) }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +capsule_server: "{{ foreman_server_url }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +capsule_port: '9090' # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +policy_name: 'all' # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +policy_scan: "{{ policy_name }}" # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +crontab_hour: 2 # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +crontab_minute: 0 # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +crontab_weekdays: 0 # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way +foreman_operations_scap_client_secure_logging: true # noqa var-naming[no-role-prefix] - TODO : we should rework roles to use variable prefix, until scope is defined, silence is the way diff --git a/collections/ansible_collections/demo/satellite/roles/scap_client/templates/openscap_client_config.yaml.j2 b/collections/ansible_collections/demo/satellite/roles/scap_client/templates/openscap_client_config.yaml.j2 index 264cc8b..a67330b 100644 --- a/collections/ansible_collections/demo/satellite/roles/scap_client/templates/openscap_client_config.yaml.j2 +++ b/collections/ansible_collections/demo/satellite/roles/scap_client/templates/openscap_client_config.yaml.j2 @@ -17,7 +17,7 @@ # Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem') :host_private_key: '/etc/pki/consumer/key.pem' # policy (key is id as in Foreman) -{% for item in policy %} +{% for item in policy %} {{ item.id }}: {% if item.tailoring_file_id | int > 0 | d(False) %} {% for profile in tailoring_files[item.tailoring_file_id].tailoring_file_profiles %} diff --git a/collections/requirements.yml b/collections/requirements.yml index 435dff2..bb0aa01 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,44 +1,53 @@ --- +# This file is mainly used by product-demos CI, +# See cloin/ee-builds/product-demos-ee/requirements.yml +# for configuring collections and collection versions. collections: - name: ansible.controller - version: 4.4.0 + version: ">=4.5.5" + - name: infra.ah_configuration + version: ">=2.0.6" + - name: infra.controller_configuration + version: ">=2.7.1" - name: redhat_cop.controller_configuration - version: 2.3.1 + version: ">=2.3.1" # linux - name: ansible.posix - version: 1.5.4 - - name: redhat.insights - version: 1.0.7 - - name: redhat.rhel_system_roles - version: 1.20.0 + version: ">=1.5.4" - name: community.general - version: 6.3.0 + version: ">=8.0.0" - name: containers.podman + version: ">=1.12.1" + - name: redhat.insights + version: ">=1.2.2" + - name: redhat.rhel_system_roles + version: ">=1.23.0" # windows - - name: chocolatey.chocolatey - - name: community.windows - version: 1.12.0 - name: ansible.windows - version: 1.13.0 + version: ">=2.3.0" + - name: chocolatey.chocolatey + version: ">=1.5.1" + - name: community.windows + version: ">=2.2.0" # cloud - - name: azure.azcollection - version: 1.14.0 - name: amazon.aws - version: 5.2.0 + version: ">=7.5.0" # satellite - name: redhat.satellite - version: 3.8.0 + version: ">=4.0.0" # network - - name: cisco.ios - version: 4.4.0 - - name: cisco.nxos - version: 4.1.0 - - name: cisco.iosxr - version: 5.0.0 - name: ansible.netcommon - version: 5.0.0 + version: ">=6.0.0" + - name: cisco.ios + version: ">=7.0.0" + - name: cisco.iosxr + version: ">=8.0.0" + - name: cisco.nxos + version: ">=7.0.0" # openshift - - name: redhat.openshift - version: 2.3.0 - name: kubernetes.core - version: 2.4.0 + version: ">=4.0.0" + - name: redhat.openshift + version: ">=3.0.1" + - name: redhat.openshift_virtualization + version: ">=1.4.0" diff --git a/common/README.md b/common/README.md new file mode 100644 index 0000000..f023e31 --- /dev/null +++ b/common/README.md @@ -0,0 +1,3 @@ +# Common Prerequisites + +Demos from some categories (cloud, linux, windows, etc.) have become dependent on controller resources defined in other demo categories. The setup.yml file in this directory is used to configure these common prerequisites so that they are available before setup for a demo category is called. diff --git a/common/setup.yml b/common/setup.yml new file mode 100644 index 0000000..ca88c95 --- /dev/null +++ b/common/setup.yml @@ -0,0 +1,283 @@ +--- +controller_execution_environments: + - name: product-demos + image: quay.io/acme_corp/product-demos-ee:latest + - name: Cloud Services Execution Environment + image: quay.io/scottharwell/cloud-ee:latest + +controller_organizations: + - name: Default + default_environment: product-demos + +controller_projects: + - name: Ansible Cloud Content Lab - AWS + organization: Default + scm_type: git + wait: true + scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git + default_environment: Cloud Services Execution Environment + +controller_credentials: + - name: AWS + credential_type: Amazon Web Services + organization: Default + update_secrets: false + state: exists + inputs: + username: REPLACEME + password: REPLACEME + +controller_inventory_sources: + - name: AWS Inventory + organization: Default + source: ec2 + inventory: Demo Inventory + credential: AWS + overwrite: true + source_vars: + hostnames: + - tag:Name + compose: + ansible_host: public_ip_address + ansible_user: 'ec2-user' + groups: + cloud_aws: true + os_linux: tags.blueprint.startswith('rhel') + os_windows: tags.blueprint.startswith('win') + keyed_groups: + - key: platform + prefix: os + - key: tags.blueprint + prefix: blueprint + - key: tags.owner + prefix: owner + - key: tags.purpose + prefix: purpose + - key: tags.deployment + prefix: deployment + +controller_groups: + - name: cloud_aws + inventory: Demo Inventory + variables: + ansible_user: ec2-user + - name: os_windows + inventory: Demo Inventory + variables: + ansible_connection: winrm + ansible_winrm_transport: credssp + +controller_templates: + - name: SUBMIT FEEDBACK + job_type: run + inventory: Demo Inventory + project: Ansible official demo project + playbook: feedback.yml + execution_environment: Default execution environment + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Name/Email/Contact + type: text + variable: email + required: true + - question_name: Issue or Feedback + type: textarea + variable: feedback + required: true + + - name: Cloud / AWS / Create VPC + job_type: run + organization: Default + credentials: + - AWS + project: Ansible official demo project + playbook: cloud/create_vpc.yml + inventory: Demo Inventory + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: AWS Region + type: multiplechoice + variable: create_vm_aws_region + required: true + choices: + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + - question_name: Owner + type: text + variable: aws_owner_tag + required: true + + - name: Cloud / AWS / Create Keypair + job_type: run + organization: Default + credentials: + - AWS + project: Ansible official demo project + playbook: cloud/aws_key.yml + inventory: Demo Inventory + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: AWS Region + type: multiplechoice + variable: create_vm_aws_region + required: true + choices: + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + - question_name: Keypair Name + type: text + variable: aws_key_name + required: true + default: aws-test-key + - question_name: Keypair Public Key + type: textarea + variable: aws_public_key + required: true + - question_name: Owner + type: text + variable: aws_keypair_owner + required: true + + - name: Cloud / AWS / Create VM + job_type: run + organization: Default + credentials: + - AWS + - Demo Credential + project: Ansible Cloud Content Lab - AWS + playbook: playbooks/create_vm.yml + inventory: Demo Inventory + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + allow_simultaneous: true + survey: + name: '' + description: '' + spec: + - question_name: AWS Region + type: multiplechoice + variable: create_vm_aws_region + required: true + choices: + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 + - question_name: Name + type: text + variable: create_vm_vm_name + required: true + - question_name: Owner + type: text + variable: create_vm_vm_owner + required: true + - question_name: Deployment + type: text + variable: create_vm_vm_deployment + required: true + - question_name: Purpose + type: text + variable: create_vm_vm_purpose + required: true + default: demo + - question_name: Environment + type: multiplechoice + variable: create_vm_vm_environment + required: true + choices: + - Dev + - QA + - Prod + - question_name: Blueprint + type: multiplechoice + variable: vm_blueprint + required: true + choices: + - windows_core + - windows_full + - rhel9 + - rhel8 + - rhel7 + - al2023 + - question_name: Subnet + type: text + variable: create_vm_aws_vpc_subnet_name + required: true + default: aws-test-subnet + - question_name: Security Group + type: text + variable: create_vm_aws_securitygroup_name + required: true + default: aws-test-sg + - question_name: SSH Keypair + type: text + variable: create_vm_aws_keypair_name + required: true + default: aws-test-key + - question_name: AWS Instance Type (defaults to blueprint value) + type: text + variable: create_vm_aws_instance_size + required: false + - question_name: AWS Image Filter (defaults to blueprint value) + type: text + variable: create_vm_aws_image_filter + required: false + + - name: Cloud / AWS / Delete VM + job_type: run + organization: Default + credentials: + - AWS + - Demo Credential + project: Ansible Cloud Content Lab - AWS + playbook: playbooks/delete_inventory_vm.yml + inventory: Demo Inventory + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Name or Pattern + type: text + variable: _hosts + required: true + +controller_notifications: + - name: Telemetry + organization: Default + notification_type: webhook + notification_configuration: + url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec + http_method: POST + headers: {} + +controller_settings: + - name: SESSION_COOKIE_AGE + value: 180000 diff --git a/linux/README.md b/linux/README.md index 620ee23..7f1b01d 100644 --- a/linux/README.md +++ b/linux/README.md @@ -60,7 +60,7 @@ Edit the `Linux / System Roles` job to include the list of roles that you wish t **Linux / Temporary Sudo** - Use this job to show how to grant sudo access with automated cleanup to a server. The user must exist on the system. Using the student user is a good example (ie. student1) -**Linux / Patching** - Use this job to apply updates or audit for missing updates and produce an html report of systems with missing updates. See the end of the job for the URL to view the report. In other environments this report could be uploaded to a wiki, email, other system. This demo also shows installing a webserver on a linux server. The report is places on the system defined by the `report_server` variable. By default, `report_server` is configured as `node1`. This may be overridden with `extra_vars` on the Job Template. +**Linux / Patching** - Use this job to apply updates or audit for missing updates and produce an html report of systems with missing updates. See the end of the job for the URL to view the report. In other environments this report could be uploaded to a wiki, email, other system. This demo also shows installing a webserver on a linux server. The report is places on the system defined by the `report_server` variable. By default, `report_server` is configured as `reports`. This may be overridden with `extra_vars` on the Job Template. **Linux / Run Shell Script** - Use this job to demonstrate running shell commands or an existing shell script across a group of systems as root. This can be preferred over using Ad-Hoc commands due to the ability to control usage with RBAC. This is helpful in showing the scalable of execution of an existing shell script. It is always recommended to convert shell scripts to playbooks over time. Example usage would be getting the public key used in the environment with the command `cat .ssh/authorized_keys`. diff --git a/linux/compliance-enforce.yml b/linux/compliance-enforce.yml index b8122e4..36b87c4 100644 --- a/linux/compliance-enforce.yml +++ b/linux/compliance-enforce.yml @@ -12,6 +12,5 @@ - name: Run Compliance Profile ansible.builtin.include_role: - name: "redhatofficial.rhel{{ ansible_distribution_major_version }}_{{ compliance_profile }}" - + name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}" ... diff --git a/linux/compliance_profiles.md b/linux/compliance_profiles.md index 7ef595c..209da1d 100644 --- a/linux/compliance_profiles.md +++ b/linux/compliance_profiles.md @@ -5,6 +5,7 @@ The following compliance profiles are supported by the [**Linux / Enforce Compli | **Profile** | **Role Repository** | |-------------|---------------------| | CIS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cis | +| CJIS | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cjis | | CUI | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-cui | | HIPAA | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-hipaa | | OSPP | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-ospp | @@ -12,4 +13,3 @@ The following compliance profiles are supported by the [**Linux / Enforce Compli | DISA STIG | https://galaxy.ansible.com/RedHatOfficial/ansible-role-rhel8-stig | These roles are derived from the [Compliance as Code](https://github.com/ComplianceAsCode/content) project, which provides SCAP content used by the [OpenSCAP](https://www.open-scap.org/) `oscap` tool. - diff --git a/linux/patching.yml b/linux/patching.yml index e7f6a21..01801af 100644 --- a/linux/patching.yml +++ b/linux/patching.yml @@ -3,7 +3,7 @@ hosts: "{{ _hosts | default(omit) }}" become: true vars: - report_server: node1 + report_server: reports tasks: # Install yum-utils if it's not there diff --git a/linux/setup.yml b/linux/setup.yml index b4ccd52..7611677 100644 --- a/linux/setup.yml +++ b/linux/setup.yml @@ -3,13 +3,9 @@ user_message: - Update the 'activation_key' and 'org_id' extra variables for 'LINUX / Register with Insights'. https://access.redhat.com/management/activation_keys - Update Credential for Insights Inventory with Red Hat account. - Add variables for system_roles. https://console.redhat.com/ansible/automation-hub/repo/published/redhat/rhel_system_roles -controller_components: - - projects - - credential_types - - credentials - - inventory_sources - - job_templates +# "!unsafe" used to pass raw jinja2 through to the injector definition, see +# https://github.com/redhat-cop/controller_configuration/tree/devel/roles/credential_types#formating-injectors controller_credential_types: - name: Insights Collection kind: cloud @@ -24,13 +20,14 @@ controller_credential_types: secret: true injectors: env: - INSIGHTS_USER: "{% raw %}{ { insights_user }}{% endraw %}" - INSIGHTS_PASSWORD: "{% raw %}{ { insights_password }}{% endraw %}" + INSIGHTS_USER: !unsafe '{{ insights_user }}' + INSIGHTS_PASSWORD: !unsafe '{{ insights_password }}' controller_credentials: - name: Insights Inventory credential_type: Insights Collection organization: Default + state: exists inputs: insights_user: REPLACEME insights_password: REPLACEME @@ -377,6 +374,12 @@ controller_templates: sudo_remove_no_authenticate: false # used by CIS and STIG profile role accounts_password_set_max_life_existing: false + # used by the CJIS profile role + service_firewalld_enabled: false + firewalld_sshd_port_enabled: false + # used by the PCI-DSS profile role + firewalld_loopback_traffic_restricted: false + firewalld_loopback_traffic_trusted: false survey_enabled: true survey: name: '' @@ -392,10 +395,11 @@ controller_templates: required: true choices: - cis + - cjis - cui - hipaa - ospp - - pci_dss + - pci-dss - stig - name: "LINUX / Multi-profile Compliance Report" @@ -423,6 +427,7 @@ controller_templates: required: true choices: - cis + - cjis - cui - hipaa - ospp diff --git a/multi_select_setup.yml b/multi_select_setup.yml index 8958b10..8b89318 100644 --- a/multi_select_setup.yml +++ b/multi_select_setup.yml @@ -15,4 +15,4 @@ - name: Default Components ansible.builtin.include_role: - name: "redhat_cop.controller_configuration.job_launch" + name: "infra.controller_configuration.job_launch" diff --git a/network/report.yml b/network/report.yml index 8a562f4..639e8c4 100644 --- a/network/report.yml +++ b/network/report.yml @@ -35,7 +35,7 @@ hosts: "{{ report_server }}" become: true vars: - report_server: node1 + report_server: reports web_path: /var/www/html/reports/ tasks: diff --git a/network/setup.yml b/network/setup.yml index 24501e4..aa6c90c 100644 --- a/network/setup.yml +++ b/network/setup.yml @@ -1,15 +1,6 @@ --- user_message: -controller_components: - - execution_environments - - projects - - inventories - - hosts - - inventory_sources - - inventory_source_update - - job_templates - controller_execution_environments: - name: Networking Execution Environment image: quay.io/nleiva/ee-network-image diff --git a/openshift/README.md b/openshift/README.md index d5bfd7b..4ed8adc 100644 --- a/openshift/README.md +++ b/openshift/README.md @@ -14,7 +14,7 @@ This category of demos shows examples of openshift operations and management wit - [**OpenShift / Dev Spaces**](devspaces.yml) - Install and deploy dev spaces on OCP cluster. After this job has run successfully, login to your OCP cluster, click the application icon (to the left of the bell icon in the top right) to access Dev Spaces ## Pre Setup -This demo requires an OpenShift cluster to deploy to. If you do not have a cluster to use, one can be requested from [demo.redhat.com](https://demo.redhat.com). +This demo requires an OpenShift cluster to deploy to. If you do not have a cluster to use, one can be requested from [demo.redhat.com](https://demo.redhat.com). - Search for the [Red Hat OpenShift Container Platform 4.12 Workshop](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.ocp412-wksp.prod&utm_source=webapp&utm_medium=share-link) item in the catalog and request with the number of users you would like for Dev Spaces. - Login using the admin credentials provided. Click the `admin` username at the top right and select `Copy login command`. - Authenticate and click `Display Token`. This information will be used to populate the OpenShift Credential after you run the setup. diff --git a/openshift/cnv/install.yml b/openshift/cnv/install.yml new file mode 100644 index 0000000..3c75f58 --- /dev/null +++ b/openshift/cnv/install.yml @@ -0,0 +1,101 @@ +--- +- name: Deploy OpenShift CNV Operator and create the Hyperconverged object, provision VM to prove funciontality + hosts: localhost + gather_facts: false + vars: + vm_name: ocpvtest + vm_namespace: openshift-cnv + tasks: + - name: Include role + ansible.builtin.include_role: + name: demo.openshift.cluster_config + + - name: Attempt to Provision a VM + kubernetes.core.k8s: + wait: true + state: "{{ instance_state | default('present') }}" + definition: + apiVersion: kubevirt.io/v1 + kind: VirtualMachine + metadata: + name: "{{ vm_name }}" + namespace: "{{ vm_namespace }}" + labels: + app: "{{ vm_name }}" + vm.kubevirt.io/name: "{{ vm_name }}" + spec: + dataVolumeTemplates: + - apiVersion: cdi.kubevirt.io/v1beta1 + kind: DataVolume + metadata: + creationTimestamp: null + name: "{{ vm_name }}" + spec: + sourceRef: + kind: DataSource + name: "{{ os_version | default('fedora') }}" + namespace: openshift-virtualization-os-images + storage: + resources: + requests: + storage: 30Gi + running: true + template: + metadata: + annotations: + vm.kubevirt.io/flavor: small + vm.kubevirt.io/os: "{{ os_version | default('fedora') }}" + vm.kubevirt.io/workload: server + creationTimestamp: null + labels: + kubevirt.io/domain: "{{ vm_name }}" + kubevirt.io/size: small + spec: + domain: + cpu: + cores: 4 + sockets: 1 + threads: 1 + devices: + disks: + - disk: + bus: virtio + name: rootdisk + interfaces: + - masquerade: {} + model: virtio + name: default + networkInterfaceMultiqueue: true + rng: {} + machine: + type: pc-q35-rhel9.2.0 + resources: + requests: + memory: 8Gi + evictionStrategy: LiveMigrate + networks: + - name: default + pod: {} + terminationGracePeriodSeconds: 180 + volumes: + - dataVolume: + name: "{{ vm_name }}" + name: rootdisk + retries: 60 + delay: 5 + register: provision + until: provision.changed + + - name: Clean up test VM + kubernetes.core.k8s: + wait: true + state: absent + definition: + apiVersion: kubevirt.io/v1 + kind: VirtualMachine + metadata: + name: "{{ vm_name }}" + namespace: "{{ vm_namespace }}" + labels: + app: "{{ vm_name }}" + vm.kubevirt.io/name: "{{ vm_name }}" diff --git a/openshift/cnv/patch.yml b/openshift/cnv/patch.yml new file mode 100644 index 0000000..6ceeceb --- /dev/null +++ b/openshift/cnv/patch.yml @@ -0,0 +1,37 @@ +--- +- name: Linux server patching for OpenShift Virtalized Hosts + hosts: "{{ _hosts | default(omit) }}" + become: true + tasks: + # Install yum-utils if it's not there + - name: Install yum-utils + ansible.builtin.yum: + name: yum-utils + state: installed + + - name: Include patching role + ansible.builtin.include_role: + name: demo.patching.patch_linux + + - name: Tell user when Insights Client is not configured + ansible.builtin.debug: + msg: "Insights client does not appear to be configured. Scan will be skipped" + when: + - ansible_local.insights.system_id is not defined + + - name: Run the Insights Client Scan # noqa: no-changed-when + ansible.builtin.command: insights-client + when: + - not ansible_check_mode + - ansible_local.insights.system_id is defined + + - name: Create nginx container + when: not ansible_check_mode + delegate_to: localhost + become: false + connection: local + run_once: true # noqa: run-once[task] + block: + - name: Publish landing page + ansible.builtin.include_role: + name: demo.patching.report_ocp_patching diff --git a/openshift/cnv/provision.yml b/openshift/cnv/provision.yml new file mode 100644 index 0000000..243a273 --- /dev/null +++ b/openshift/cnv/provision.yml @@ -0,0 +1,76 @@ +--- +- name: De-Provision OCP-CNV VM + hosts: localhost + tasks: + - name: Define resources + kubernetes.core.k8s: + wait: true + state: "{{ instance_state | default('present') }}" + definition: + apiVersion: kubevirt.io/v1 + kind: VirtualMachine + metadata: + name: "{{ vm_name }}" + namespace: "{{ vm_namespace }}" + labels: + app: "{{ vm_name }}" + os.template.kubevirt.io/fedora36: 'true' + vm.kubevirt.io/name: "{{ vm_name }}" + spec: + dataVolumeTemplates: + - apiVersion: cdi.kubevirt.io/v1beta1 + kind: DataVolume + metadata: + creationTimestamp: null + name: "{{ vm_name }}" + spec: + sourceRef: + kind: DataSource + name: "{{ os_version |default('rhel9') }}" + namespace: openshift-virtualization-os-images + storage: + resources: + requests: + storage: 30Gi + running: true + template: + metadata: + annotations: + vm.kubevirt.io/flavor: small + vm.kubevirt.io/os: "{{ os_version | default('rhel9') }}" + vm.kubevirt.io/workload: server + creationTimestamp: null + labels: + kubevirt.io/domain: "{{ vm_name }}" + kubevirt.io/size: small + spec: + domain: + cpu: + cores: 4 + sockets: 1 + threads: 1 + devices: + disks: + - disk: + bus: virtio + name: rootdisk + interfaces: + - masquerade: {} + model: virtio + name: default + networkInterfaceMultiqueue: true + rng: {} + machine: + type: pc-q35-rhel9.2.0 + resources: + requests: + memory: 8Gi + evictionStrategy: LiveMigrate + networks: + - name: default + pod: {} + terminationGracePeriodSeconds: 180 + volumes: + - dataVolume: + name: "{{ vm_name }}" + name: rootdisk diff --git a/openshift/cnv/provision_rhel.yml b/openshift/cnv/provision_rhel.yml new file mode 100644 index 0000000..cea2cbf --- /dev/null +++ b/openshift/cnv/provision_rhel.yml @@ -0,0 +1,96 @@ +--- +- name: Provision OCP-CNV RHEL VM + hosts: localhost + tasks: + - name: Define resources + redhat.openshift.k8s: + wait: true + state: "{{ instance_state | default('present') }}" + definition: + apiVersion: kubevirt.io/v1 + kind: VirtualMachine + metadata: + name: "{{ vm_name }}" + namespace: "{{ vm_namespace }}" + labels: + app: "{{ vm_name }}" + os.template.kubevirt.io/fedora36: 'true' + vm.kubevirt.io/name: "{{ vm_name }}" + spec: + dataVolumeTemplates: + - apiVersion: cdi.kubevirt.io/v1beta1 + kind: DataVolume + metadata: + creationTimestamp: null + name: "{{ vm_name }}" + spec: + sourceRef: + kind: DataSource + name: "{{ os_version }}" + namespace: openshift-virtualization-os-images + storage: + resources: + requests: + storage: 30Gi + running: true + template: + metadata: + annotations: + vm.kubevirt.io/flavor: small + vm.kubevirt.io/os: "{{ os_version }}" + vm.kubevirt.io/workload: server + creationTimestamp: null + labels: + kubevirt.io/domain: "{{ vm_name }}" + kubevirt.io/size: small + spec: + domain: + cpu: + cores: 4 + sockets: 1 + threads: 1 + devices: + disks: + - disk: + bus: virtio + name: rootdisk + - disk: + bus: virtio + name: cloudinitdisk + interfaces: + - masquerade: {} + model: virtio + name: default + networkInterfaceMultiqueue: true + rng: {} + machine: + type: pc-q35-rhel9.2.0 + resources: + requests: + memory: 8Gi + evictionStrategy: LiveMigrate + networks: + - name: default + pod: {} + terminationGracePeriodSeconds: 180 + volumes: + - dataVolume: + name: "{{ vm_name }}" + name: rootdisk + - name: cloudinitdisk + cloudInitNoCloud: + userData: |- + #cloud-config + chpasswd: { expire: False } + ssh_pwauth: False + ssh_authorized_keys: + - "{{ ssh_authorized_key }}" + rh_subscription: + activation-key: "{{ rh_subscription_key }}" + org: "{{ rh_subscription_org }}" + + - name: Wait for VM to be running + redhat.openshift_virtualization.kubevirt_vm_info: + name: "{{ vm_name }}" + namespace: "{{ vm_namespace }}" + wait: true diff --git a/openshift/cnv/wait.yml b/openshift/cnv/wait.yml new file mode 100644 index 0000000..459d501 --- /dev/null +++ b/openshift/cnv/wait.yml @@ -0,0 +1,14 @@ +--- +- name: Wait for VMs to start and become ready + hosts: "{{ _hosts | default(omit) }}" + gather_facts: false + tasks: + - name: Wait for + ansible.builtin.wait_for: + port: 22 + host: '{{ (ansible_ssh_host|default(ansible_host))|default(inventory_hostname) }}' + search_regex: OpenSSH + delay: 10 + retries: 10 + vars: + ansible_connection: local diff --git a/openshift/eda/install.yml b/openshift/eda/install.yml new file mode 100644 index 0000000..ef7e4c6 --- /dev/null +++ b/openshift/eda/install.yml @@ -0,0 +1,8 @@ +--- +- name: Deploy EDA Controller attached to the same AAP + hosts: localhost + gather_facts: false + tasks: + - name: Include role + ansible.builtin.include_role: + name: demo.openshift.eda_controller diff --git a/openshift/gitlab.yml b/openshift/gitlab.yml index f609657..81e271c 100644 --- a/openshift/gitlab.yml +++ b/openshift/gitlab.yml @@ -4,14 +4,14 @@ gather_facts: false tasks: - - name: create cert-manager-operator namespace + - name: Create cert-manager-operator namespace redhat.openshift.k8s: name: cert-manager-operator api_version: v1 kind: Namespace state: present - - name: create OperatorGroup object for cert-manager-operator + - name: Create OperatorGroup object for cert-manager-operator redhat.openshift.k8s: state: present definition: @@ -22,9 +22,9 @@ namespace: cert-manager-operator spec: targetNamespaces: - - cert-manager-operator + - cert-manager-operator - - name: create cert-manager-operator subscription + - name: Create cert-manager-operator subscription redhat.openshift.k8s: state: present definition: @@ -42,14 +42,14 @@ source: redhat-operators sourceNamespace: openshift-marketplace - - name: create gitlab-system namespace + - name: Create gitlab-system namespace redhat.openshift.k8s: name: gitlab-system api_version: v1 kind: Namespace state: present - - name: create OperatorGroup object for gitlab-operator-kubernetes + - name: Create OperatorGroup object for gitlab-operator-kubernetes redhat.openshift.k8s: state: present definition: @@ -60,9 +60,9 @@ namespace: gitlab-system spec: targetNamespaces: - - gitlab-system + - gitlab-system - - name: create gitlab subscription + - name: Create gitlab subscription redhat.openshift.k8s: state: present definition: @@ -80,8 +80,8 @@ source: community-operators sourceNamespace: openshift-marketplace - - name: wait for gitlab operator to install - k8s_info: + - name: Wait for gitlab operator to install + kubernetes.core.k8s_info: api_version: apiextensions.k8s.io/v1 kind: CustomResourceDefinition name: gitlabs.apps.gitlab.com @@ -91,7 +91,7 @@ delay: 30 - name: Wait until gitlab-operator is up - k8s_info: + kubernetes.core.k8s_info: api_version: v1 kind: Deployment name: gitlab-controller-manager @@ -117,7 +117,7 @@ namespace: gitlab-system spec: chart: - version: "6.11.0" + version: "{{ gitlab_chart_version }}" values: nginx-ingress: enabled: false @@ -125,7 +125,7 @@ install: false global: hosts: - domain: "{{ cluster_domain }}" # apps.cluster-9xrlv.9xrlv.sandbox644.opentlc.com + domain: "{{ cluster_domain }}" # apps.cluster-9xrlv.9xrlv.sandbox644.opentlc.com ingress: class: none configureCertmanager: true diff --git a/openshift/host_vars/localhost.yml b/openshift/host_vars/localhost.yml new file mode 100644 index 0000000..7c40544 --- /dev/null +++ b/openshift/host_vars/localhost.yml @@ -0,0 +1,2 @@ +--- +gitlab_chart_version: "8.0.1" diff --git a/openshift/inventory.kubevirt.yml b/openshift/inventory.kubevirt.yml new file mode 100644 index 0000000..cce1934 --- /dev/null +++ b/openshift/inventory.kubevirt.yml @@ -0,0 +1,23 @@ +--- +plugin: redhat.openshift_virtualization.kubevirt +strict: true +connections: + - namespaces: + - openshift-cnv +compose: + ansible_user: "'cloud-user' if 'rhel' in vmi_annotations['vm.kubevirt.io/os']" + vmi_annotations: "vmi_annotations | ansible.utils.replace_keys(target=[ + {'before':'vm.kubevirt.io/os', 'after':'os'}, + {'before':'vm.kubevirt.io/flavor', 'after':'flavor'}, + {'before':'vm.kubevirt.io/workload', 'after':'workload'}, + {'before':'kubevirt.io/vm-generation', 'after':'vm-generation'}, + {'before':'kubevirt.io/latest-observed-api-version', 'after':'latest-observed-api-version'}, + {'before':'kubevirt.io/storage-observed-api-version', 'after':'storage-observed-api-version' }] )" + labels: "vmi_labels | ansible.utils.replace_keys(target=[ + {'before':'kubevirt.io/nodeName', 'after':'nodeName'}, + {'before':'kubevirt.io/size', 'after':'size'}, + {'before':'kubevirt.io/domain', 'after':'domain' }] )" +keyed_groups: + - key: vmi_annotations.os + prefix: "cnv" + separator: "_" diff --git a/openshift/setup.yml b/openshift/setup.yml index a4b04cb..b2b3ab4 100644 --- a/openshift/setup.yml +++ b/openshift/setup.yml @@ -2,7 +2,9 @@ controller_components: - projects - credentials + - inventory_sources - job_templates + - workflow_job_templates controller_projects: - name: USR App @@ -15,12 +17,159 @@ controller_credentials: - name: OpenShift Credential organization: Default credential_type: OpenShift or Kubernetes API Bearer Token + state: exists inputs: host: CHANGEME bearer_token: CHANGEME verify_ssl: false +controller_inventory_sources: + - name: OpenShift CNV Inventory + inventory: Demo Inventory + source: scm + source_project: Ansible official demo project + source_path: openshift/inventory.kubevirt.yml + credential: OpenShift Credential + update_on_launch: false + controller_templates: + - name: OpenShift / EDA / Install Controller + job_type: run + inventory: "Demo Inventory" + project: "Ansible official demo project" + playbook: "openshift/eda/install.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + credentials: + - "OpenShift Credential" + - "Controller Credential" + + - name: OpenShift / CNV / Install Operator + job_type: run + inventory: "Demo Inventory" + project: "Ansible official demo project" + playbook: "openshift/cnv/install.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + credentials: + - "OpenShift Credential" + + - name: OpenShift / CNV / Create RHEL VM + job_type: run + inventory: "Demo Inventory" + project: "Ansible official demo project" + playbook: "openshift/cnv/provision_rhel.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + allow_simultaneous: true + survey: + name: '' + description: '' + spec: + - question_name: VM name + type: text + variable: vm_name + default: rhel9 + required: true + - question_name: VM NameSpace + type: text + variable: vm_namespace + default: openshift-cnv + required: true + - question_name: SSH Authorized Key + type: textarea + variable: ssh_authorized_key + required: true + - question_name: OS Version + type: text + variable: os_version + default: rhel9 + required: true + - question_name: RHEL Activation Key + type: text + variable: rh_subscription_key + required: true + - question_name: RHEL Organization ID + type: text + variable: rh_subscription_org + required: true + credentials: + - "OpenShift Credential" + + - name: OpenShift / CNV / Delete VM + job_type: run + inventory: "Demo Inventory" + project: "Ansible official demo project" + playbook: "openshift/cnv/provision.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + extra_vars: + instance_state: absent + survey: + name: '' + description: '' + spec: + - question_name: VM name + type: text + variable: vm_name + required: true + - question_name: VM NameSpace + type: text + variable: vm_namespace + default: openshift-cnv + required: true + credentials: + - "OpenShift Credential" + + - name: OpenShift / CNV / Patching + job_type: check + inventory: "Demo Inventory" + project: "Ansible official demo project" + playbook: "openshift/cnv/patch.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + ask_job_type_on_launch: true + credentials: + - "OpenShift Credential" + - "Demo Credential" + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Server Name or Pattern + type: text + variable: _hosts + default: "openshift-cnv-rhel*" + required: true + + - name: OpenShift / CNV / Wait Hosts + inventory: "Demo Inventory" + project: "Ansible official demo project" + playbook: "openshift/cnv/wait.yml" + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: Wait hosts + type: text + variable: _hosts + default: "openshift-cnv-rhel*" + required: true + - name: OpenShift / Dev Spaces job_type: run inventory: "Demo Inventory" @@ -54,3 +203,53 @@ controller_templates: credentials: - "OpenShift Credential" +controller_workflows: + - name: OpenShift / CNV / Infra Stack + description: A workflow to deploy Virtualized infra in OCP Virtalization + organization: Default + notification_templates_started: Telemetry + notification_templates_success: Telemetry + notification_templates_error: Telemetry + survey_enabled: true + survey: + name: '' + description: '' + spec: + - question_name: SSH Authorized Key + type: textarea + variable: ssh_authorized_key + required: true + - question_name: RHEL Activation Key + type: text + variable: rh_subscription_key + required: true + - question_name: RHEL Organization ID + type: text + variable: rh_subscription_org + required: true + simplified_workflow_nodes: + - identifier: Deploy RHEL8 VM + unified_job_template: OpenShift / CNV / Create RHEL VM + extra_data: + vm_name: rhel8 + os_version: rhel8 + success_nodes: + - Update Inventory + failure_nodes: + - Ticket - Instance Failed + - identifier: Deploy RHEL9 VM + unified_job_template: OpenShift / CNV / Create RHEL VM + extra_data: + vm_name: rhel9 + os_version: rhel9 + success_nodes: + - Update Inventory + failure_nodes: + - Ticket - Instance Failed + - identifier: Update Inventory + unified_job_template: OpenShift CNV Inventory + - identifier: Ticket - Instance Failed + unified_job_template: 'SUBMIT FEEDBACK' + extra_data: + feedback: Failed to create CNV instance + diff --git a/roles/requirements.yml b/roles/requirements.yml index 75eaa0c..707e968 100644 --- a/roles/requirements.yml +++ b/roles/requirements.yml @@ -1,42 +1,46 @@ --- roles: # RHEL 7 compliance roles from ComplianceAsCode - - name: redhatofficial.rhel7_cis - version: 0.1.69 - - name: redhatofficial.rhel7_cui - version: 0.1.67 - - name: redhatofficial.rhel7_hipaa - version: 0.1.69 - - name: redhatofficial.rhel7_ospp - version: 0.1.69 - - name: redhatofficial.rhel7_pci_dss - version: 0.1.69 - - name: redhatofficial.rhel7_stig - version: 0.1.69 + - name: redhatofficial.rhel7-cis + version: 0.1.72 + - name: redhatofficial.rhel7-cjis + version: 0.1.72 + - name: redhatofficial.rhel7-cui + version: 0.1.72 + - name: redhatofficial.rhel7-hipaa + version: 0.1.72 + - name: redhatofficial.rhel7-ospp + version: 0.1.72 + - name: redhatofficial.rhel7-pci-dss + version: 0.1.72 + - name: redhatofficial.rhel7-stig + version: 0.1.72 # RHEL 8 compliance roles from ComplianceAsCode - - name: redhatofficial.rhel8_cis - version: 0.1.69 - - name: redhatofficial.rhel8_cui - version: 0.1.69 - - name: redhatofficial.rhel8_hipaa - version: 0.1.69 - - name: redhatofficial.rhel8_ospp - version: 0.1.69 - - name: redhatofficial.rhel8_pci_dss - version: 0.1.69 - - name: redhatofficial.rhel8_stig - version: 0.1.69 + - name: redhatofficial.rhel8-cis + version: 0.1.72 + - name: redhatofficial.rhel8-cjis + version: 0.1.72 + - name: redhatofficial.rhel8-cui + version: 0.1.72 + - name: redhatofficial.rhel8-hipaa + version: 0.1.72 + - name: redhatofficial.rhel8-ospp + version: 0.1.72 + - name: redhatofficial.rhel8-pci-dss + version: 0.1.72 + - name: redhatofficial.rhel8-stig + version: 0.1.72 # RHEL 9 compliance roles from ComplianceAsCode - - name: redhatofficial.rhel9_cis - version: 0.1.68 - - name: redhatofficial.rhel9_cui - version: 0.1.64 - - name: redhatofficial.rhel9_hipaa - version: 0.1.68 - - name: redhatofficial.rhel9_ospp - version: 0.1.68 - - name: redhatofficial.rhel9_pci_dss - version: 0.1.68 - - name: redhatofficial.rhel9_stig - version: 0.1.64 + - name: redhatofficial.rhel9-cis + version: 0.1.72 + - name: redhatofficial.rhel9-cui + version: 0.1.72 + - name: redhatofficial.rhel9-hipaa + version: 0.1.72 + - name: redhatofficial.rhel9-ospp + version: 0.1.72 + - name: redhatofficial.rhel9-pci-dss + version: 0.1.72 + - name: redhatofficial.rhel9-stig + version: 0.1.72 ... diff --git a/satellite/setup.yml b/satellite/setup.yml index 76507a6..6ae2b6e 100644 --- a/satellite/setup.yml +++ b/satellite/setup.yml @@ -1,14 +1,6 @@ --- user_message: -controller_components: - - credential_types - - credentials - - inventory_sources - - job_templates - - job_launch - - workflow_job_templates - controller_credential_types: - name: Satellite Collection kind: cloud @@ -39,6 +31,7 @@ controller_credentials: - name: Satellite Inventory credential_type: Red Hat Satellite 6 organization: Default + state: exists inputs: host: https://satellite.example.com username: admin @@ -46,6 +39,7 @@ controller_credentials: - name: Satellite Credential credential_type: Satellite Collection organization: Default + state: exists inputs: host: https://satellite.example.com username: admin diff --git a/setup_demo.yml b/setup_demo.yml index 4852634..b9fd37d 100644 --- a/setup_demo.yml +++ b/setup_demo.yml @@ -1,68 +1,33 @@ --- -- name: Setup demo +- name: Setup common prerequisites hosts: localhost gather_facts: false - tasks: - - name: Default Components - ansible.builtin.include_role: - name: "redhat_cop.controller_configuration.{{ item }}" - loop: "{{ controller_components }}" - vars: # noqa var-naming[no-role-prefix] - controller_components: - - notification_templates - - job_templates - - settings - controller_execution_environments: - - name: product-demos - image: http://quay.io/acme_corp/product-demos-ee:latest - controller_organizations: - - name: Default - default_environment: product-demos - controller_notifications: - - name: Telemetry - organization: Default - notification_type: webhook - notification_configuration: - url: https://script.google.com/macros/s/AKfycbzxUObvCJ6ZbzfJyicw4RvxlGE3AZdrK4AR5-TsedCYd7O-rtTOVjvsRvqyb3rx6B0g8g/exec - http_method: POST - headers: {} - controller_templates: - - name: "SUBMIT FEEDBACK" - job_type: run - inventory: "Demo Inventory" - project: "Ansible official demo project" - playbook: "feedback.yml" - execution_environment: Default execution environment - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: Name/Email/Contact - type: text - variable: email - required: true - - question_name: Issue or Feedback - type: textarea - variable: feedback - required: true - controller_settings: - - name: "SESSION_COOKIE_AGE" - value: 180000 + # vars_files should be scoped to a play so variables defined in the + # files should not be available in subsequent plays, so certain + # resources won't be retried + vars_files: + - common/setup.yml - - name: "Include configuration for {{ demo }}" + tasks: + - name: Create reusable deployment ID + ansible.builtin.set_fact: + _deployment_id: '{{ lookup("ansible.builtin.password", "{{ playbook_dir }}/.deployment_id", chars=["ascii_lowercase", "digits"], length=5) }}' + + - name: Create common demo resources + ansible.builtin.include_role: + name: infra.controller_configuration.dispatch + +- name: Setup demo + hosts: localhost + gather_facts: false + tasks: + - name: Include configuration for {{ demo }} ansible.builtin.include_vars: "{{ demo }}/setup.yml" - name: Demo Components ansible.builtin.include_role: - name: "redhat_cop.controller_configuration.{{ item }}" - loop: "{{ controller_components }}" - when: - - controller_components | d("") | length > 0 + name: infra.controller_configuration.dispatch - name: Log Demo ansible.builtin.uri: @@ -75,3 +40,5 @@ ansible.builtin.debug: msg: "{{ user_message }}" when: user_message is defined + +... diff --git a/windows/backup.yml b/windows/backup.yml index 661630a..ee05474 100644 --- a/windows/backup.yml +++ b/windows/backup.yml @@ -1,6 +1,6 @@ --- -- hosts: windows - name: Rollback playbook +- name: Rollback playbook + hosts: windows tasks: - name: "Rollback this step" ansible.builtin.debug: diff --git a/windows/create_ad_domain.yml b/windows/create_ad_domain.yml index feb1303..5c8599b 100644 --- a/windows/create_ad_domain.yml +++ b/windows/create_ad_domain.yml @@ -13,30 +13,23 @@ ansible.windows.win_domain: dns_domain_name: ansible.local safe_mode_password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}" - register: new_forest + notify: + - Reboot host + - Wait for AD services + - Reboot again + - Wait for AD services again - - name: Reboot the target host - ansible.windows.win_reboot: - reboot_timeout: 3600 - when: new_forest.reboot_required - - - name: Wait up to 10min for AD web services to start - community.windows.win_wait_for_process: - process_name_exact: Microsoft.ActiveDirectory.WebServices - pre_wait_delay: 60 - state: present - timeout: 600 - sleep: 10 - remote_user: Administrator + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Create some groups community.windows.win_domain_group: name: "{{ item.name }}" scope: global loop: - - {name: "GroupA"} - - {name: "GroupB"} - - {name: "GroupC"} + - name: "GroupA" + - name: "GroupB" + - name: "GroupC" retries: 5 delay: 10 @@ -47,8 +40,36 @@ password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}" update_password: on_create loop: - - {name: "UserA", groups: "GroupA"} - - {name: "UserB", groups: "GroupB"} - - {name: "UserC", groups: "GroupC"} + - name: "UserA" + groups: "GroupA" + - name: "UserB" + groups: "GroupB" + - name: "UserC" + groups: "GroupC" retries: 5 delay: 10 + + handlers: + - name: Reboot host + ansible.windows.win_reboot: + reboot_timeout: 3600 + + - name: Wait for AD services + community.windows.win_wait_for_process: + process_name_exact: Microsoft.ActiveDirectory.WebServices + pre_wait_delay: 60 + state: present + timeout: 600 + sleep: 10 + + - name: Reboot again + ansible.windows.win_reboot: + reboot_timeout: 3600 + + - name: Wait for AD services again + community.windows.win_wait_for_process: + process_name_exact: Microsoft.ActiveDirectory.WebServices + pre_wait_delay: 60 + state: present + timeout: 600 + sleep: 10 diff --git a/windows/patching.yml b/windows/patching.yml index 57234b4..39471d2 100644 --- a/windows/patching.yml +++ b/windows/patching.yml @@ -2,7 +2,7 @@ - name: Windows updates hosts: "{{ _hosts | default('os_windows') }}" vars: - report_server: win1 + report_server: aws_win1 tasks: - name: Patch windows server diff --git a/windows/powershell_dsc.yml b/windows/powershell_dsc.yml index dc91e42..0c6aae4 100644 --- a/windows/powershell_dsc.yml +++ b/windows/powershell_dsc.yml @@ -4,6 +4,18 @@ gather_facts: false tasks: + - name: Setup PsGallery + ansible.windows.win_powershell: + script: | + $nuget_version = (Get-PackageProvider -Name NuGet -ListAvailable).version + $nuget_target_version = [Version]::new('2.8.5.201') + if( $nuget_version -lt $nuget_target_version ){ + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Install-PackageProvider -Name NuGet -MinimumVersion $nuget_target_version -Force + Install-Module -Name packagemanagement -Force + Install-Module -Name powershellget -Force + } + - name: Setup the SecurityPolicyDSC module community.windows.win_psmodule: name: SecurityPolicyDSC diff --git a/windows/setup.yml b/windows/setup.yml index 977b93f..19f84d0 100644 --- a/windows/setup.yml +++ b/windows/setup.yml @@ -2,10 +2,6 @@ user_message: | '' -controller_components: - - projects - - job_templates - controller_projects: - name: Fact Scan organization: Default