DISA STIG for Red Hat Enterprise Linux 7
Rules and Groups employed by this XCCDF Profile
-
Verify Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored in the second field (colon-separated) in <code>/etc/shadow</code>. This file should be re...Group -
All GIDs referenced in /etc/passwd must be defined in /etc/group
Add a group to the system for each GID referenced without a corresponding group.Rule Low Severity -
Prevent Login to Accounts With Empty Password
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without ...Rule High Severity -
Ensure There Are No Accounts With Blank or Null Passwords
Check the "/etc/shadow" file for blank passwords with the following command: <pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</pre> If the command ...Rule High Severity -
Restrict Root Logins
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivil...Group -
Verify Only Root Has UID 0
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or h...Rule High Severity -
Secure Session Configuration Files for Login Accounts
When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the...Group -
Ensure Home Directories are Created for New Users
All local interactive user accounts, upon creation, should be assigned a home directory. <br><br> Configure the operating system to assign home dir...Rule Medium Severity -
Ensure the Logon Failure Delay is Set Correctly in login.defs
To ensure the logon failure delay controlled by <code>/etc/login.defs</code> is set properly, add or correct the <code>FAIL_DELAY</code> setting in...Rule Medium Severity -
Limit the Number of Concurrent Login Sessions Allowed Per User
Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions...Rule Low Severity -
Set Interactive Session Timeout
Setting the <code>TMOUT</code> option in <code>/etc/profile</code> ensures that all user sessions will terminate based on inactivity. The value of ...Rule Medium Severity -
User Initialization Files Must Be Group-Owned By The Primary Group
Change the group owner of interactive users files to the group found in <pre>/etc/passwd</pre> for the user. To change the group owner of a local i...Rule Medium Severity -
User Initialization Files Must Not Run World-Writable Programs
Set the mode on files being executed by the user initialization files with the following command:$ sudo chmod o-w FILE
Rule Medium Severity -
User Initialization Files Must Be Owned By the Primary User
Set the owner of the user initialization files for interactive users to the primary owner with the following command: <pre>$ sudo chown <i>USER</i>...Rule Medium Severity -
Ensure that Users Path Contains Only Local Directories
Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working dir...Rule Medium Severity -
All Interactive Users Home Directories Must Exist
Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create t...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner ...Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have a Valid Owner
Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories....Rule Medium Severity -
All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive
Set the mode on files and directories in the local interactive user home directory with the following command: <pre>$ sudo chmod 0750 /home/<i>USER...Rule Medium Severity -
All Interactive User Home Directories Must Be Group-Owned By The Primary Group
Change the group owner of interactive users home directory to the group found in <code>/etc/passwd</code>. To change the group owner of interactive...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.