DISA STIG for Red Hat Enterprise Linux 9
Rules and Groups employed by this XCCDF Profile
-
Limit Password Reuse: system-auth
Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_pwhistory</code>...Rule Medium Severity -
Account Lockouts Must Be Logged
PAM faillock locks an account due to excessive password failures, this event must be logged.Rule Medium Severity -
Lock Accounts After Failed Password Attempts
This rule configures the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>. pam_faillock.so...Rule Medium Severity -
Configure the root Account for Failed Password Attempts
This rule configures the system to lock out the <code>root</code> account after a number of incorrect login attempts using <code>pam_faillock.so</c...Rule Medium Severity -
Lock Accounts Must Persist
This rule ensures that the system lock out accounts using <code>pam_faillock.so</code> persist after system reboot. From "pam_faillock" man pages: ...Rule Medium Severity -
Set Interval For Counting Failed Password Attempts
Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of inc...Rule Medium Severity -
Set Lockout Time for Failed Password Attempts
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using <code>pam_fail...Rule Medium Severity -
Set Password Quality Requirements
The default <code>pam_pwquality</code> PAM module provides strength checking for passwords. It performs a number of checks, such as making sure pas...Group -
Set Password Quality Requirements with pam_pwquality
The <code>pam_pwquality</code> PAM module can be configured to meet requirements for a variety of policies. <br><br> For example, to configure <cod...Group -
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, a...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
The pam_pwquality module's <code>dictcheck</code> check if passwords contains dictionary words. When <code>dictcheck</code> is set to <code>1</code...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Characters
The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password du...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Enforce for root User
The pam_pwquality module's <code>enforce_for_root</code> parameter controls requirements for enforcing password complexity for the root user. Enabl...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negativ...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
The pam_pwquality module's <code>maxclassrepeat</code> parameter controls requirements for consecutive repeating characters from the same character...Rule Medium Severity -
Set Password Maximum Consecutive Repeating Characters
The pam_pwquality module's <code>maxrepeat</code> parameter controls requirements for consecutive repeating characters. When set to a positive numb...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Different Categories
The pam_pwquality module's <code>minclass</code> parameter controls requirements for usage of different character classes, or types, of character t...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Length
The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<xcc...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Special Characters
The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When s...Rule Medium Severity -
Ensure PAM password complexity module is enabled in password-auth
To enable PAM password complexity in password-auth file: Edit the <code>password</code> section in <code>/etc/pam.d/password-auth</code> to show <c...Rule Medium Severity -
Ensure PAM password complexity module is enabled in system-auth
To enable PAM password complexity in system-auth file: Edit the <code>password</code> section in <code>/etc/pam.d/system-auth</code> to show <code>...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
To configure the number of retry prompts that are permitted per-session: Edit the <code>/etc/security/pwquality.conf</code> to include <code>retr...Rule Medium Severity -
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negati...Rule Medium Severity -
Set Password Hashing Algorithm
The system's default algorithm for storing password hashes in/etc/shadow
is SHA-512. This can be configured in several locations.Group -
Set Password Hashing Algorithm in /etc/libuser.conf
In <code>/etc/libuser.conf</code>, add or correct the following line in its <code>[defaults]</code> section to ensure the system will use the SHA-5...Rule Medium Severity -
Set Password Hashing Algorithm in /etc/login.defs
In <code>/etc/login.defs</code>, add or correct the following line to ensure the system will use <xccdf-1.2:sub idref="xccdf_org.ssgproject.content...Rule Medium Severity -
Set PAM''s Password Hashing Algorithm - password-auth
The PAM system service can be configured to only store encrypted representations of passwords. In <code>/etc/pam.d/password-auth</code>, the <code>...Rule Medium Severity -
Set Password Hashing Rounds in /etc/login.defs
In <code>/etc/login.defs</code>, ensure <code>SHA_CRYPT_MIN_ROUNDS</code> and <code>SHA_CRYPT_MAX_ROUNDS</code> has the minimum value of <code>5000...Rule Medium Severity -
Protect Physical Console Access
It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be co...Group -
Disable debug-shell SystemD Service
SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once e...Rule Medium Severity -
Disable Ctrl-Alt-Del Burst Action
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed Ctrl-Alt-Delete more than 7 times ...Rule High Severity -
Disable Ctrl-Alt-Del Reboot Activation
By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br><br> To configure the system ...Rule High Severity -
Verify that Interactive Boot is Disabled
Red Hat Enterprise Linux 9 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enter...Rule Medium Severity -
Configure Logind to terminate idle sessions after certain time of inactivity
To configure <code>logind</code> service to terminate inactive user sessions after <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_log...Rule Medium Severity -
Require Authentication for Emergency Systemd Target
Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence. <br><br> B...Rule Medium Severity -
Require Authentication for Single User Mode
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. ...Rule Medium Severity -
Configure Screen Locking
When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User educ...Group -
Configure Console Screen Locking
A console screen locking mechanism is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the in...Group -
Install the tmux Package
To enable console screen locking, install the <code>tmux</code> package. A session lock is a temporary action taken when a user stops work and move...Rule Medium Severity -
Support session locking with tmux
The <code>tmux</code> terminal multiplexer is used to implement automatic session locking. It should be started from <code>/etc/bashrc</code> or dr...Rule Medium Severity -
Configure tmux to lock session after inactivity
To enable console screen locking in <code>tmux</code> terminal multiplexer after a period of inactivity, the <code>lock-after-time</code> option ha...Rule Medium Severity -
Configure the tmux Lock Command
To enable console screen locking in <code>tmux</code> terminal multiplexer, the <code>vlock</code> command must be configured to be used as a locki...Rule Medium Severity -
Prevent user from disabling the screen lock
Thetmux
terminal multiplexer is used to implement automatic session locking. It should not be listed in/etc/shells
.Rule Low Severity -
Hardware Tokens for Authentication
The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. I...Group -
Install the opensc Package For Multifactor Authentication
Theopensc
package can be installed with the following command:$ sudo dnf install opensc
Rule Medium Severity -
Install the pcsc-lite package
Thepcsc-lite
package can be installed with the following command:$ sudo dnf install pcsc-lite
Rule Medium Severity -
Install Smart Card Packages For Multifactor Authentication
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The <code>op...Rule Medium Severity -
Enable the pcscd Service
Thepcscd
service can be enabled with the following command:$ sudo systemctl enable pcscd.service
Rule Medium Severity -
Configure opensc Smart Card Drivers
The OpenSC smart card tool can auto-detect smart card drivers; however, setting the smart card drivers in use by your organization helps to prevent...Rule Medium Severity -
Protect Accounts by Restricting Password-Based Login
Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness ...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.