Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The TOSS audit records must be offloaded onto a different system or storage media from the system being audited.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. TOS...Rule Medium Severity -
TOSS must label all off-loaded audit logs before sending them to the central log server.
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events ...Rule Medium Severity -
Successful/unsuccessful uses of the "removexattr" system call in TOSS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of "semanage" in TOSS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of the "mount" syscall in TOSS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of the "su" command in TOSS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of the "unix_update" in TOSS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
Successful/unsuccessful uses of "unix_chkpwd" in TOSS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
TOSS must resolve audit information before writing to disk.
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events ...Rule Low Severity -
TOSS must have the packages required for encrypting offloaded audit logs installed.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. TOS...Rule Medium Severity -
TOSS must force a frequent session key renegotiation for SSH connections by the client.
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirem...Rule Medium Severity -
TOSS must enforce password complexity by requiring that at least one lowercase character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
TOSS must require the change of at least eight characters when passwords are changed.
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempt...Rule Medium Severity -
TOSS must enforce a 60-day maximum password lifetime restriction.
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force user...Rule Medium Severity -
TOSS must enforce a minimum 15-character password length.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...Rule Medium Severity -
TOSS must disable IEEE 1394 (FireWire) Support.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
TOSS must disable network management of the chrony daemon.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time when a particular event occurred on a system is critical when ...Rule Medium Severity -
TOSS must not have any automated bug reporting tools installed.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
TOSS must not have the telnet-server package installed.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
TOSS must be configured to disable USB mass storage.
USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163Rule Medium Severity -
TOSS must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console por...Rule Medium Severity -
A firewall must be installed on TOSS.
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to netwo...Rule Medium Severity -
TOSS must accept Personal Identity Verification (PIV) credentials.
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. The DoD has mandated the use of the Common Access Card (CAC) to support identity management and ...Rule Medium Severity -
A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring TOSS can implement rate-limiting measures on impacted network interfaces.
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This require...Rule Medium Severity -
If the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.
Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.Rule Medium Severity -
The x86 Ctrl-Alt-Delete key sequence must be disabled on TOSS.
A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the...Rule High Severity -
TOSS must enable the hardware random number generator entropy gatherer service.
The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associ...Rule Medium Severity -
TOSS must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An ill...Rule Medium Severity -
TOSS must not accept router advertisements on all IPv6 interfaces by default.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
TOSS must not accept router advertisements on all IPv6 interfaces.
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unn...Rule Medium Severity -
TOSS must not forward IPv6 source-routed packets.
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security me...Rule Medium Severity -
TOSS must restrict privilege elevation to authorized personnel.
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms the request to execute a command by checking a file,...Rule Medium Severity -
TOSS must enable kernel parameters to enforce discretionary access control on symlinks.
Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which...Rule Medium Severity -
The TOSS SSH daemon must not allow authentication using known host's authentication.
Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All TOSS local files and directories must have a valid owner.
Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
TOSS must require users to provide a password for privilege escalation.
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, ...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
All TOSS local interactive user accounts must be assigned a home directory upon creation.
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
Cron logging must be implemented in TOSS.
Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
TOSS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.Rule Medium Severity -
SRG-OS-000480-GPOS-00230
Group -
All TOSS local interactive user home directories must have mode 0770 or less permissive.
Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources.Rule Medium Severity -
SRG-OS-000480-GPOS-00230
Group -
TOSS must not permit direct logons to the root account using remote access from outside of the system via SSH.
Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-sp...Rule Medium Severity -
SRG-OS-000114-GPOS-00059
Group -
The TOSS file system automounter must be disabled unless required.
Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.