DISA STIG with GUI for Red Hat Enterprise Linux 9
Rules and Groups employed by this XCCDF Profile
-
Set SSH Daemon LogLevel to VERBOSE
The <code>VERBOSE</code> parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in <code>/etc/ssh/sshd_config....Rule Medium Severity -
Enable Use of Privilege Separation
When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the <code>/...Rule Medium Severity -
Prevent remote hosts from connecting to the proxy display
The SSH daemon should prevent remote hosts from connecting to the proxy display. <br> The default SSH configuration for <code>X11UseLocalhost</code> is <code>yes</code>, which prevents remote hosts...Rule Medium Severity -
System Security Services Daemon
The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, ...Group -
Certificate status checking in SSSD
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart...Rule Medium Severity -
Enable Certmap in SSSD
SSSD should be configured to verify the certificate of the user or group. To set this up ensure that section like <code>certmap/testing.test/rule_name</code> is setup in <code>/etc/sssd/sssd.conf<...Rule Medium Severity -
Enable Smartcards in SSSD
SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set <code>pam_cert_auth</code> to <code>True</code> under the <code>[pam]</code> sec...Rule Medium Severity -
SSSD Has a Correct Trust Anchor
SSSD must have acceptable trust anchor present.Rule Medium Severity -
Configure SSSD to Expire Offline Credentials
SSSD should be configured to expire offline credentials after 1 day. Check if SSSD allows cached authentications with the following command: <pre> $ sudo grep cache_credentials /etc/sssd/sssd.conf...Rule Medium Severity -
USBGuard daemon
The USBGuard daemon enforces the USB device authorization policy for all USB devices.Group -
Install usbguard Package
Theusbguardpackage can be installed with the following command:$ sudo dnf install usbguard
Rule Medium Severity -
Enable the USBGuard Service
The USBGuard service should be enabled. Theusbguardservice can be enabled with the following command:$ sudo systemctl enable usbguard.service
Rule Medium Severity -
Log USBGuard daemon audit events using Linux Audit
To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbguard-daemon.conf</code> needs to be set to <code>Lin...Rule Low Severity -
Generate USBGuard Policy
By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, the initial policy configuration m...Rule Medium Severity -
Network Manager
The NetworkManager daemon configures a variety of network connections. This section discusses how to configure NetworkManager.Group -
NetworkManager DNS Mode Must Be Must Configured
The DNS processing mode in NetworkManager describes how DNS is processed on the system. Depending the mode some changes the system's DNS may not be respected.Rule Medium Severity -
Verify Group Who Owns cron.deny
To properly set the group owner of/etc/cron.deny, run the command:$ sudo chgrp root /etc/cron.deny
Rule Medium Severity -
Verify Owner on cron.deny
To properly set the owner of/etc/cron.deny, run the command:$ sudo chown root /etc/cron.deny
Rule Medium Severity -
The s-nail Package Is Installed
A mail server is required for sending emails. Thes-nailpackage can be installed with the following command:$ sudo dnf install s-nail
Rule Medium Severity -
Support session locking with tmux (not enforcing)
Thetmuxterminal multiplexer is used to implement automatic session locking. It should be started from/etc/bashrcor drop-in files within/etc/profile.d/.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.