DRAFT - DISA STIG for Red Hat Virtualization Host (RHVH)
Rules and Groups employed by this XCCDF Profile
-
Set Existing Passwords Maximum Age
Configure non-compliant accounts to enforce a <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="le...Rule Medium Severity -
Set Existing Passwords Minimum Age
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: <pre>$ sudo chage -m 1 <i>...Rule Medium Severity -
Set Password Warning Age
To specify how many days prior to password expiration that a warning will be issued to users, edit the file <code>/etc/login.defs</code> and add or...Rule Medium Severity -
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...Group -
Verify All Account Password Hashes are Shadowed
If any password hashes are stored in <code>/etc/passwd</code> (in the second field, instead of an <code>x</code> or <code>*</code>), the cause of t...Rule Medium Severity -
All GIDs referenced in /etc/passwd must be defined in /etc/group
Add a group to the system for each GID referenced without a corresponding group.Rule Low Severity -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...Rule High Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...Group -
Verify Only Root Has UID 0
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or h...Rule High Severity -
Direct root Logins Not Allowed
To further limit access to the <code>root</code> account, administrators can disable root logins at the console by editing the <code>/etc/securetty...Rule Medium Severity -
Restrict Serial Port Root Logins
To restrict root logins on serial ports, ensure lines of this form do not appear in/etc/securetty:ttyS0 ttyS1
Rule Medium Severity -
Restrict Virtual Console Root Logins
To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in <code>/etc/securetty</code>: <...Rule Medium Severity -
Secure Session Configuration Files for Login Accounts
When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...Group -
Ensure Home Directories are Created for New Users
All local interactive user accounts, upon creation, should be assigned a home directory. <br><br> Configure the operating system to assign home dir...Rule Medium Severity -
Ensure the Logon Failure Delay is Set Correctly in login.defs
To ensure the logon failure delay controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>FAIL_DELAY</code> setting in...Rule Medium Severity -
Limit the Number of Concurrent Login Sessions Allowed Per User
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions...Rule Low Severity -
Set Interactive Session Timeout
Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...Rule Medium Severity -
User Initialization Files Must Be Group-Owned By The Primary Group
Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local i...Rule Medium Severity -
User Initialization Files Must Not Run World-Writable Programs
Set the mode on files being executed by the user initialization files with the following command:$ sudo chmod o-w FILE
Rule Medium Severity -
User Initialization Files Must Be Owned By the Primary User
Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i>...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.