Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000250-GPOS-00093
<GroupDescription></GroupDescription>Group -
The TOSS SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.
<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote acce...Rule Medium Severity -
SRG-OS-000269-GPOS-00103
<GroupDescription></GroupDescription>Group -
The TOSS operating system must be configured to preserve log records from failure events.
<VulnDiscussion>Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Fa...Rule Medium Severity -
SRG-OS-000355-GPOS-00143
<GroupDescription></GroupDescription>Group -
TOSS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the cor...Rule Medium Severity -
SRG-OS-000363-GPOS-00150
<GroupDescription></GroupDescription>Group -
The TOSS file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized ...Rule Medium Severity -
SRG-OS-000366-GPOS-00153
<GroupDescription></GroupDescription>Group -
TOSS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This require...Rule High Severity -
SRG-OS-000373-GPOS-00158
<GroupDescription></GroupDescription>Group -
TOSS must require reauthentication when using the "sudo" command.
<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operat...Rule Medium Severity -
SRG-OS-000375-GPOS-00160
<GroupDescription></GroupDescription>Group -
TOSS must have the packages required for multifactor authentication installed.
<VulnDiscussion>Using an authentication device, such as a DOD Common Access Card (CAC) or token that is separate from the information system,...Rule Medium Severity -
SRG-OS-000383-GPOS-00166
<GroupDescription></GroupDescription>Group -
TOSS must not allow blank or null passwords in the system-auth file.
<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with ...Rule High Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All TOSS networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected commu...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
For TOSS systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured.
<VulnDiscussion>To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolut...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The debug-shell systemd service must be disabled on TOSS.
<VulnDiscussion>The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. Whi...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The root account must be the only account having unrestricted access to the TOSS system.
<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricte...Rule High Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The systemd Ctrl-Alt-Delete burst key sequence in TOSS must be disabled.
<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as c...Rule High Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
All TOSS local interactive user home directories must be owned by the user's primary group.
<VulnDiscussion>Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sha...Rule Medium Severity -
TOSS must not be performing packet forwarding unless the system is a router.
<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this s...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
SRG-OS-000004-GPOS-00004
<GroupDescription></GroupDescription>Group -
SRG-OS-000057-GPOS-00027
<GroupDescription></GroupDescription>Group -
The TOSS SSH daemon must not allow compression or must only allow compression after successful authentication.
<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could res...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
The TOSS SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
<VulnDiscussion>Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused met...Rule Medium Severity -
SRG-OS-000480-GPOS-00229
<GroupDescription></GroupDescription>Group -
TOSS must not allow an unattended or automatic logon to the system.
<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts operating system security.</VulnDiscussion>...Rule High Severity -
SRG-OS-000021-GPOS-00005
<GroupDescription></GroupDescription>Group -
TOSS must enforce the limit of five consecutive invalid logon attempts by a user during a 15-minute time period.
<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...Rule Medium Severity -
SRG-OS-000027-GPOS-00008
<GroupDescription></GroupDescription>Group -
TOSS must limit the number of concurrent sessions to 256 for all accounts and/or account types.
<VulnDiscussion>Operating system management includes the ability to control the number of users and user sessions that utilize an operating s...Rule Low Severity -
SRG-OS-000028-GPOS-00009
<GroupDescription></GroupDescription>Group -
TOSS must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the ...Rule Medium Severity -
SRG-OS-000029-GPOS-00010
<GroupDescription></GroupDescription>Group -
TOSS must automatically lock graphical user sessions after 15 minutes of inactivity.
<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinit...Rule Medium Severity -
SRG-OS-000068-GPOS-00036
<GroupDescription></GroupDescription>Group -
TOSS must map the authenticated identity to the user or group account for PKI-based authentication.
<VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the indivi...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
TOSS duplicate User IDs (UIDs) must not exist for interactive users.
<VulnDiscussion>To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to preven...Rule Medium Severity -
SRG-OS-000105-GPOS-00052
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.