DISA STIG for Red Hat Enterprise Linux 7
Rules and Groups employed by this XCCDF Profile
-
System Settings
Contains rules that check correct system settings.Group -
Installing and Maintaining Software
The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of s...Group -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...Group -
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integr...Group -
Verify Integrity with RPM
The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with informat...Group -
Verify File Hashes with RPM
Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package m...Rule High Severity -
Verify and Correct Ownership with RPM
The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system ...Rule High Severity -
Verify and Correct File Permissions with RPM
The RPM package management system can check file access permissions of installed software packages, including many that are important to system sec...Rule High Severity -
Verify Integrity with AIDE
AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created imm...Group -
Install AIDE
Theaidepackage can be installed with the following command:$ sudo yum install aide
Rule Medium Severity -
Build and Test AIDE Database
Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the fil...Rule Medium Severity -
Configure Periodic Execution of AIDE
At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line t...Rule Medium Severity -
Configure Notification of Post-AIDE Scan Details
AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic exe...Rule Medium Severity -
Configure AIDE to Use FIPS 140-2 for Validating Hashes
By default, the <code>sha512</code> option is added to the <code>NORMAL</code> ruleset in AIDE. If using a custom ruleset or the <code>sha512</code...Rule Medium Severity -
Configure AIDE to Verify Access Control Lists (ACLs)
By default, the <code>acl</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>acl</code> optio...Rule Low Severity -
Configure AIDE to Verify Extended Attributes
By default, the <code>xattrs</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>xattrs</code>...Rule Low Severity -
Federal Information Processing Standard (FIPS)
The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working g...Group -
Enable FIPS Mode in GRUB2
To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands: <pr...Rule High Severity -
Operating System Vendor Support and Certification
The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stabili...Group -
The Installed Operating System Is Vendor Supported
The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Li...Rule High Severity -
Endpoint Protection Software
Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative secur...Group -
Install Virus Scanning Software
Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate syste...Rule High Severity -
McAfee Endpoint Security Software
In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.Group -
McAfee Endpoint Security for Linux (ENSL)
McAfee Endpoint Security for Linux (ENSL) is a suite of software applications used to monitor, detect, and defend computer networks and systems.Group -
Install McAfee Endpoint Security for Linux (ENSL)
Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of v...Rule Medium Severity -
Ensure McAfee Endpoint Security for Linux (ENSL) is running
Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of v...Rule Medium Severity -
Disk Partitioning
To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logic...Group -
Ensure /home Located On Separate Partition
If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using...Rule Low Severity -
Ensure /tmp Located On Separate Partition
The <code>/tmp</code> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at...Rule Low Severity -
Ensure /var Located On Separate Partition
The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has i...Rule Low Severity -
Ensure /var/log/audit Located On Separate Partition
Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volum...Rule Low Severity -
GNOME Desktop Environment
GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphi...Group -
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by ...Rule High Severity -
Configure GNOME Login Screen
In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow u...Group -
Disable the GNOME3 Login User List
In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This fu...Rule Medium Severity -
Enable the GNOME3 Login Smartcard Authentication
In the default graphical environment, smart card authentication can be enabled on the login screen by setting <code>enable-smartcard-authentication...Rule Medium Severity -
Disable GDM Automatic Login
The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to a...Rule High Severity -
Disable GDM Guest Login
The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to logi...Rule High Severity -
GNOME Media Settings
GNOME media settings that apply to the graphical interface.Group -
Disable GNOME3 Automounting
The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...Rule Medium Severity -
Disable GNOME3 Automount Opening
The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...Rule Medium Severity -
Disable GNOME3 Automount running
The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are...Rule Low Severity -
Configure GNOME Screen Locking
In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock<...Group -
Enable GNOME3 Screensaver Idle Activation
To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set <code>idle-activation-enabled</code> to <code>true</code...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Screensaver Idle Activation
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/idle-acti...Rule Medium Severity -
Set GNOME3 Screensaver Inactivity Timeout
The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate...Rule Medium Severity -
Set GNOME3 Screensaver Lock Delay After Activation Period
To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set <code>lock-delay</code> to <co...Rule Medium Severity -
Enable GNOME3 Screensaver Lock After Idle Period
To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set <code>lock-enabled</code> to <code>true</code> in <c...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/lock-enab...Rule Medium Severity -
Ensure Users Cannot Change GNOME3 Screensaver Settings
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <code>/org/gnome/desktop/screensaver/lock-del...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.