Skip to content
Log In

DISA STIG for Red Hat Enterprise Linux 7

Rules and Groups employed by this XCCDF Profile

  • System Settings

    Contains rules that check correct system settings.
    Group
    Show

  • Installing and Maintaining Software

    The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates.
    Group
    Show

  • System and Software Integrity

    System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...
    Group
    Show

  • Software Integrity Checking

    Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of ...
    Group
    Show

  • Verify Integrity with RPM

    The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadat...
    Group
    Show

  • Verify File Hashes with RPM

    Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed...
    Rule High Severity
    Show

  • Verify and Correct Ownership with RPM

    The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect per...
    Rule High Severity
    Show

  • Verify and Correct File Permissions with RPM

    The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system ...
    Rule High Severity
    Show

  • Verify Integrity with AIDE

    AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and t...
    Group
    Show

  • Install AIDE

    The aide package can be installed with the following command: 
    $ sudo yum install aide
    Rule Medium Severity
    Show

  • Build and Test AIDE Database

    Run the following command to generate a new database: <pre>$ sudo /usr/sbin/aide --init</pre> By default, the database will be written to the file <code>/var/lib/aide/aide.db.new.gz</code>. Sto...
    Rule Medium Severity
    Show

  • Configure Periodic Execution of AIDE

    At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to <code>/etc/crontab</code>: <pre>05 4 * * * root ...
    Rule Medium Severity
    Show

  • Configure Notification of Post-AIDE Scan Details

    AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in <code>/etc/crontab</code>, append the fo...
    Rule Medium Severity
    Show

  • Configure AIDE to Use FIPS 140-2 for Validating Hashes

    By default, the <code>sha512</code> option is added to the <code>NORMAL</code> ruleset in AIDE. If using a custom ruleset or the <code>sha512</code> option is missing, add <code>sha512</code> to th...
    Rule Medium Severity
    Show

  • Configure AIDE to Verify Access Control Lists (ACLs)

    By default, the <code>acl</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>acl</code> option is missing, add <code>acl</code> to the appropri...
    Rule Low Severity
    Show

  • Configure AIDE to Verify Extended Attributes

    By default, the <code>xattrs</code> option is added to the <code>FIPSR</code> ruleset in AIDE. If using a custom ruleset or the <code>xattrs</code> option is missing, add <code>xattrs</code> to the...
    Rule Low Severity
    Show

  • Federal Information Processing Standard (FIPS)

    The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working groups to validate the quality of cryptographic mod...
    Group
    Show

  • Enable FIPS Mode in GRUB2

    To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands: <pre> $ sudo yum install dracut-fips dracut -f</pre> ...
    Rule High Severity
    Show

  • Operating System Vendor Support and Certification

    The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A ce...
    Group
    Show

  • The Installed Operating System Is Vendor Supported

    The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for provi...
    Rule High Severity
    Show

  • Endpoint Protection Software

    Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base pla...
    Group
    Show

  • Install Virus Scanning Software

    Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configu...
    Rule High Severity
    Show

  • McAfee Endpoint Security Software

    In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.
    Group
    Show

  • McAfee Endpoint Security for Linux (ENSL)

    McAfee Endpoint Security for Linux (ENSL) is a suite of software applications used to monitor, detect, and defend computer networks and systems.
    Group
    Show

  • Install McAfee Endpoint Security for Linux (ENSL)

    Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. The <code>McAfeeTP</cod...
    Rule Medium Severity
    Show

  • Ensure McAfee Endpoint Security for Linux (ENSL) is running

    Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem.
    Rule Medium Severity
    Show

  • Disk Partitioning

    To ensure separation and protection of data, there are top-level system directories which should be placed on their own physical partition or logical volume. The installer's default partitioning sc...
    Group
    Show

  • Ensure /home Located On Separate Partition

    If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using LVM). If <code>/home</code> will be mounted from ...
    Rule Low Severity
    Show

  • Ensure /tmp Located On Separate Partition

    The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
    Rule Low Severity
    Show

  • Ensure /var Located On Separate Partition

    The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has its own partition or logical volume at installation...
    Rule Low Severity
    Show

  • Ensure /var/log/audit Located On Separate Partition

    Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that <code>/var/log/audit</code> has its own partition or logical volume at installation time, or migrate it using LVM. M...
    Rule Low Severity
    Show

  • GNOME Desktop Environment

    GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical D...
    Group
    Show

  • Make sure that the dconf databases are up-to-date with regards to respective keyfiles

    By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the <pre>dconf update</pre> command. More specific...
    Rule High Severity
    Show

  • Configure GNOME Login Screen

    In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest ac...
    Group
    Show

  • Disable the GNOME3 Login User List

    In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting <code>di...
    Rule Medium Severity
    Show

  • Enable the GNOME3 Login Smartcard Authentication

    In the default graphical environment, smart card authentication can be enabled on the login screen by setting <code>enable-smartcard-authentication</code> to <code>true</code>. <br><br> To enable, ...
    Rule Medium Severity
    Show

  • Disable GDM Automatic Login

    The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are...
    Rule High Severity
    Show

  • Disable GDM Guest Login

    The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access ha...
    Rule High Severity
    Show

  • GNOME Media Settings

    GNOME media settings that apply to the graphical interface.
    Group
    Show

  • Disable GNOME3 Automounting

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount wi...
    Rule Medium Severity
    Show

  • Disable GNOME3 Automount Opening

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount-op...
    Rule Medium Severity
    Show

  • Disable GNOME3 Automount running

    The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable autorun-neve...
    Rule Low Severity
    Show

  • Configure GNOME Screen Locking

    In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting <b>Lock</b>. <br><br> The following sections detail comman...
    Group
    Show

  • Enable GNOME3 Screensaver Idle Activation

    To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set <code>idle-activation-enabled</code> to <code>true</code> in <code>/etc/dconf/db/local.d/00-security-setti...
    Rule Medium Severity
    Show

  • Ensure Users Cannot Change GNOME3 Screensaver Idle Activation

    If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> to <code>/etc/dconf/db/local....
    Rule Medium Severity
    Show

  • Set GNOME3 Screensaver Inactivity Timeout

    The idle time-out value for inactivity in the GNOME3 desktop is configured via the <code>idle-delay</code> setting must be set under an appropriate configuration file(s) in the <code>/etc/dconf/db/...
    Rule Medium Severity
    Show

  • Set GNOME3 Screensaver Lock Delay After Activation Period

    To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set <code>lock-delay</code> to <code>uint32 <xccdf-1.2:sub idref="xccdf_org.ssgproje...
    Rule Medium Severity
    Show

  • Enable GNOME3 Screensaver Lock After Idle Period

    To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set <code>lock-enabled</code> to <code>true</code> in <code>/etc/dconf/db/local.d/00-security-settings</co...
    Rule Medium Severity
    Show

  • Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period

    If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <pre>/org/gnome/desktop/screensaver/lock-enabled</pre> to <code>/etc/dconf/db/local.d/locks/00-...
    Rule Medium Severity
    Show

  • Ensure Users Cannot Change GNOME3 Screensaver Settings

    If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <code>/org/gnome/desktop/screensaver/lock-delay</code> to <code>/etc/dconf/db/local.d/locks/00-...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules