Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
At the command line, run the following command to verify an audit rule exists to audit account creations: # auditctl -l | grep -E "(useradd|groupadd)" Example result: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016.
Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.
At the command line, run the following commands to verify accounts are locked after three consecutive invalid logon attempts by a user during a 15-minute time period: # grep '^deny =' /etc/security/faillock.conf Example result: deny = 3 If the "deny" option is not set to "3" or less (but not "0"), is missing or commented out, this is a finding. # grep '^fail_interval =' /etc/security/faillock.conf Example result: fail_interval = 900 If the "fail_interval" option is not set to "900" or more, is missing or commented out, this is a finding. Note: If faillock.conf is not used to configure the "pam_faillock.so" module, then these options may be specified on the faillock lines in the system-auth and system-account PAM files.
Navigate to and open: /etc/security/faillock.conf Add or update the following lines: deny = 3 fail_interval = 900 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify SSH is configured to use the /etc/issue file for a banner: # sshd -T|&grep -i Banner Example result: banner /etc/issue If the "banner" setting is not configured to "/etc/issue", this is a finding. Next, open /etc/issue with a text editor. If the file does not contain the Standard Mandatory DOD Notice and Consent Banner, this is a finding. Standard Mandatory DOD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Navigate to and open: /etc/ssh/sshd_config Ensure the "Banner" line is uncommented and set to the following: Banner /etc/issue Navigate to and open: /etc/issue Ensure the file contains the Standard Mandatory DOD Notice and Consent Banner. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the limit for the number of concurrent sessions: # grep "^[^#].*maxlogins.*" /etc/security/limits.conf Example result: * hard maxlogins 10 If "* hard maxlogins" is not configured to "10", this is a finding. Note: The expected result may be repeated multiple times.
Navigate to and open: /etc/security/limits.conf Add or update the following line: * hard maxlogins 10
If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable. At the command line, run the following command to verify rsyslog is configured to log authentication requests: # grep -E "(^auth.*|^authpriv.*|^daemon.*)" /etc/rsyslog.conf Example result: auth.*;authpriv.*;daemon.* /var/log/audit/sshinfo.log If "auth.*", "authpriv.*", and "daemon.*" are not configured to be logged, this is a finding.
Navigate to and open: /etc/rsyslog.conf Add or update the following line: auth.*;authpriv.*;daemon.* /var/log/audit/sshinfo.log Note: The path can be substituted for another suitable log destination dedicated to authentication logs. At the command line, run the following command: # systemctl restart rsyslog.service
At the command line, run the following command to verify the OpenSSL FIPS provider is installed: # rpm -qa | grep openssl-fips Example result: openssl-fips-provider-3.0.3-1.ph4.x86_64 If there is no output indicating that the OpenSSL FIPS provider is installed, this is a finding.
At the command line, run the following command: # tdnf install openssl-fips-provider
At the command line, run the following command to verify auditd is configured to write logs to disk: # grep '^write_logs' /etc/audit/auditd.conf Example result: write_logs = yes If there is no output, this is not a finding. If "write_logs" exists and is not configured to "yes", this is a finding.
Navigate to and open: /etc/audit/auditd.conf Ensure the "write_logs" line is uncommented and set to the following: write_logs = yes At the command line, run the following command: # pkill -SIGHUP auditd
At the command line, run the following command to verify auditd is enabled and running: # systemctl status auditd If the service is not enabled and running, this is a finding.
At the command line, run the following commands: # systemctl enable auditd # systemctl start auditd
At the command line, run the following command to verify audit rules exist to audit privileged functions: # auditctl -l | grep execve Expected result: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv If the output does not match the expected result, this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016.
Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.
At the command line, run the following command to verify auditd is configured to send an alert via syslog in the event of an audit processing failure: # grep -E "^disk_full_action|^disk_error_action|^admin_space_left_action" /etc/audit/auditd.conf Example result: admin_space_left_action = SYSLOG disk_full_action = SYSLOG disk_error_action = SYSLOG If "disk_full_action", "disk_error_action", and "admin_space_left_action" are not set to SYSLOG or are missing, this is a finding.
Navigate to and open: /etc/audit/auditd.conf Ensure the following lines are present, not duplicated, and not commented: disk_full_action = SYSLOG disk_error_action = SYSLOG admin_space_left_action = SYSLOG At the command line, run the following command: # pkill -SIGHUP auditd
At the command line, run the following command to find the current auditd log location: # grep -iw log_file /etc/audit/auditd.conf Example result: log_file = /var/log/audit/audit.log At the command line, run the following command using the file found in the previous step to verify auditd logs are protected from authorized access: # stat -c "%n %U:%G %a" /var/log/audit/audit.log Example result: /var/log/audit/audit.log root:root 600 If the audit log file does not have permissions set to "0600", this is a finding. If the audit log file is not owned by root, this is a finding. If the audit log file is not group owned by root, this is a finding.
At the command line, run the following commands: # chmod 0600 <audit log file> # chown root:root <audit log file> Replace <audit log file> with the target log file. Note: If "log_group" is configured in the auditd.conf file and set to something other than "root", the permissions changes will not be persistent.
At the command line, run the following command to verify permissions on auditd configuration and rules files: # find /etc/audit/* -type f -exec stat -c "%n %U:%G %a" {} $1\; If any files are returned with permissions more permissive than "0640", this is a finding. If any files are returned not owned by root, this is a finding. If any files are returned not group owned by root, this is a finding.
At the command line, run the following commands: # chmod 0640 <audit file> # chown root:root <audit file> Replace <audit file> with the target file.
At the command line, run the following command to verify an audit rule exists to audit account creations: # auditctl -l | grep chmod Expected result: -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod If the output does not match the expected result, this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016. Note: auid!=-1, auid!=4294967295, auid!=unset are functionally equivalent in this check and the output of the above commands may be displayed in either format.
Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.
At the command line, run the following command to verify at least one uppercase character be used: # grep '^password.*pam_pwquality.so' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 If the "ucredit" option is not < 0, is missing or commented out, this is a finding.
Navigate to and open: /etc/pam.d/system-password Configure the pam_pwquality.so line to have the "ucredit" option set to "-1" as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify at least one lowercase character be used: # grep '^password.*pam_pwquality.so' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 If the "lcredit" option is not < 0, is missing or commented out, this is a finding.
Navigate to and open: /etc/pam.d/system-password Configure the pam_pwquality.so line to have the "lcredit" option set to "-1" as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify at least one numeric character be used: # grep '^password.*pam_pwquality.so' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 If the "dcredit" option is not < 0, is missing or commented out, this is a finding.
Navigate to and open: /etc/pam.d/system-password Configure the pam_pwquality.so line to have the "dcredit" option set to "-1" as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify at least eight different characters be used: # grep '^password.*pam_pwquality.so' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 If the "difok" option is not >= 8, is missing or commented out, this is a finding.
Navigate to and open: /etc/pam.d/system-password Configure the pam_pwquality.so line to have the "difok" option set to "8" as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify passwords are stored with only encrypted representations: # grep ^ENCRYPT_METHOD /etc/login.defs Example result: ENCRYPT_METHOD SHA512 If the "ENCRYPT_METHOD" option is not set to "SHA512", is missing or commented out, this is a finding.
Navigate to and open: /etc/login.defs Add or update the following line: ENCRYPT_METHOD SHA512
At the command line, run the following command to verify telnet is not installed: # rpm -qa | grep telnet If any results are returned indicating telnet is installed, this is a finding.
At the command line, run the following command: # tdnf remove <package name>
At the command line, run the following command to verify one day as the minimum password lifetime: # grep '^PASS_MIN_DAYS' /etc/login.defs If "PASS_MIN_DAYS" is not set to 1, is missing or commented out, this is a finding.
Navigate to and open: /etc/login.defs Add or update the following line: PASS_MIN_DAYS 1
At the command line, run the following command to verify a 90-day maximum password lifetime restriction: # grep '^PASS_MAX_DAYS' /etc/login.defs If "PASS_MAX_DAYS" is not set to <= 90, is missing or commented out, this is a finding.
Navigate to and open: /etc/login.defs Add or update the following line: PASS_MAX_DAYS 90
At the command line, run the following commands to verify passwords are not reused for a minimum of five generations: # grep '^password.*pam_pwhistory.so' /etc/pam.d/system-password Example result: password required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok If the "remember" option is not set to "5" or greater, this is a finding.
Navigate to and open: /etc/pam.d/system-password Configure the pam_pwhistory.so line to have the "remember" option set to 5 or greater as follows: password required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify a minimum 15-character password length: # grep '^password.*pam_pwquality.so' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 If the "minlen" option is not >= 15, is missing or commented out, this is a finding.
Navigate to and open: /etc/pam.d/system-password Configure the pam_pwquality.so line to have the "minlen" option set to "15" as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify a password is required to edit the grub bootloader to boot into single-user mode: # grep -E "^set\ssuperusers|^password_pbkdf2" /boot/grub2/grub.cfg Example output: set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.[password_hash] If superusers is not set, this is a finding. If a password is not set for the super user, this is a finding.
Before proceeding, ensure a snapshot is taken to rollback if needed. At the command line, run the following command to generate a grub password: # grub2-mkpasswd-pbkdf2 Enter a secure password and ensure this password is stored for break-glass situations. Users will not be able to recover the root account without knowing this separate password. Copy the resulting encrypted string. An example string is below: grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86 Note: The grub2 package must be installed to generate a password for grub. Navigate to and open: /boot/grub2/grub.cfg Find the line that begins with "set rootpartition". Below this line, paste the following on its own line: set superusers="root" Note: The superusers name can be a value other than root and is not tied to an OS account. Below this paste the following, substituting the user's own encrypted string from the steps above: password_pbkdf2 root <YOUR-LONG-STRING-FROM-ABOVE> Next edit the default Photon menuentry block with the "--unrestricted" parameter so that it will continue to boot without prompting for credentials, for example: menuentry "Photon" --unrestricted { linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline audit=1 if [ -f /boot/$photon_initrd ]; then initrd /boot/$photon_initrd fi } When booting now, if users press "e" when the Photon splash screen appears, users will be prompted for credentials before being presented the option to edit the boot loader before system startup. Note: Photon does not support building grub changes via grub2-mkconfig.
At the command line, run the following command to verify the following kernel modules are not loaded: # modprobe --showconfig | grep "^install" | grep "/bin" Expected result: install bridge /bin/false install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb_storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false The output may include other statements outside of the expected result. If the output does not include at least every statement in the expected result, this is a finding.
Navigate to and open: /etc/modprobe.d/modprobe.conf Set the contents as follows: install bridge /bin/false install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb_storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false
At the command line, run the following command to verify there are no duplicate user IDs present: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If any lines are returned, this is a finding.
Navigate to and open: /etc/passwd Configure each user account that has a duplicate UID with a unique UID.
At the command line, run the following command to verify system-password is configured to encrypt representations of passwords: # grep sha512 /etc/pam.d/system-password Example result: password required pam_unix.so sha512 shadow use_authtok If the "pam_unix.so" module is not configured with the "sha512" parameter, this is a finding.
Navigate to and open: /etc/pam.d/system-password Add or update the following line: password required pam_unix.so sha512 shadow use_authtok
At the command line, run the following command to verify kernel message buffer restrictions are enabled: # /sbin/sysctl kernel.dmesg_restrict Example result: kernel.dmesg_restrict = 1 If the "kernel.dmesg_restrict" kernel parameter is not set to "1", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following line: kernel.dmesg_restrict = 1 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to verify TCP syncookies are enabled: # /sbin/sysctl net.ipv4.tcp_syncookies Example result: net.ipv4.tcp_syncookies = 1 If "net.ipv4.tcp_syncookies" is not set to "1", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following line: net.ipv4.tcp_syncookies = 1 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i ClientAliveInterval Example result: ClientAliveInterval 900 If there is no output or if "ClientAliveInterval" is not set to "900", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "ClientAliveInterval" line is uncommented and set to the following: ClientAliveInterval 900 At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify permissions on the /var/log directory: # stat -c "%n is owned by %U and group owned by %G with permissions of %a" /var/log Expected result: /var/log is owned by root and group owned by root with permissions of 755 If the /var/log directory is not owned by root, this is a finding. If the /var/log directory is not group owned by root, this is a finding. If the /var/log directory permissions are not set to 0755 or less, this is a finding.
At the command line, run the following commands: # chown root:root /var/log # chmod 0755 /var/log
If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable. At the command line, run the following command to verify rsyslog generates log files that are not world readable: # grep '^\$umask' /etc/rsyslog.conf Example result: $umask 0037 If "$umask" is not set to "0037" or more restrictive, this is a finding.
Navigate to and open: /etc/rsyslog.conf Add or update the following line: $umask 0037 At the command line, run the following command: # systemctl restart rsyslog.service
At the command line, run the following command to verify an audit rule exists to audit account modifications: # auditctl -l | grep -E "(usermod|groupmod)" Example result: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod If either "usermod" or "groupmod" are not listed with a permissions filter of at least "x", this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016.
Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.
At the command line, run the following command to verify an audit rule exists to audit account removals: # auditctl -l | grep -E "(userdel|groupdel)" Example result: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016.
Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i Ciphers Expected result: ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr If the output matches the ciphers in the expected result or a subset thereof, this is not a finding. If the ciphers in the output contain any ciphers not listed in the expected result, this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "Ciphers" line is uncommented and set to the following: Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify auditing is enabled at startup: # grep 'audit' /proc/cmdline Example result: BOOT_IMAGE=/boot/vmlinuz-5.10.109-2.ph4-esx root=PARTUUID=6e6293c6-9ab6-49e9-aa97-9b212f2e037a init=/lib/systemd/systemd rcupdate.rcu_expedited=1 rw systemd.show_status=1 quiet noreplace-smp cpu_init_udelay=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes audit=1 If the "audit" parameter is not present with a value of "1", this is a finding.
Navigate to and open: /boot/grub2/grub.cfg Locate the boot command line arguments. An example follows: linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline Add "audit=1" to the end of the line so it reads as follows: linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline audit=1 Note: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append "audit=1" to it. Reboot the system for the change to take effect.
At the command line, run the following command to verify permissions on audit tools: # stat -c "%n is owned by %U and group owned by %G and permissions are %a" /usr/sbin/audispd /usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace /usr/sbin/augenrules Expected result: /usr/sbin/audispd is owned by root and group owned by root and permissions are 750 /usr/sbin/auditctl is owned by root and group owned by root and permissions are 755 /usr/sbin/auditd is owned by root and group owned by root and permissions are 755 /usr/sbin/aureport is owned by root and group owned by root and permissions are 755 /usr/sbin/ausearch is owned by root and group owned by root and permissions are 755 /usr/sbin/autrace is owned by root and group owned by root and permissions are 755 /usr/sbin/augenrules is owned by root and group owned by root and permissions are 750 If any file is not owned by root or group owned by root or permissions are more permissive than listed above, this is a finding.
At the command line, run the following commands for each file returned: # chown root:root <file> # chmod 750 <file> Note: Update permissions to match the target file as listed in the check text.
At the command line, run the following command to verify at least one special character be used: # grep '^password.*pam_pwquality.so' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 If the "ocredit" option is not < 0, is missing or commented out, this is a finding.
Navigate to and open: /etc/pam.d/system-password Configure the pam_pwquality.so line to have the "ocredit" option set to "-1" as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
Use the verification capability of rpm to check the MD5 hashes of the audit files on disk versus the expected ones from the installation package. At the command line, run the following command: # rpm -V audit | grep "^..5" Example output: S.5....T. c /etc/audit/auditd.conf If there is any output for files that are not configuration files, this is a finding.
If the audit system binaries have been altered investigate the cause and then reinstall the audit package to restore the integrity of the package. If performed on a VMware reinstalling the audit tools is not supported. The appliance should be restored from a backup or redeployed once the root cause is remediated.
At the command line, run the following command: # grep -E "TMOUT=900" /etc/bash.bashrc /etc/profile.d/* Example result: /etc/profile.d/tmout.sh:TMOUT=900 If the "TMOUT" environmental variable is not set, the value is more than "900", or is set to "0", this is a finding.
Navigate to and open: /etc/profile.d/tmout.sh Set its content to the following: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null
At the command line, run the following command to verify symlink protection is enabled: # /sbin/sysctl fs.protected_symlinks Example result: fs.protected_symlinks = 1 If the "fs.protected_symlinks" kernel parameter is not set to "1", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following line: fs.protected_symlinks = 1 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to output a list of files with setuid/setgid configured and their corresponding audit rules: # for file in $(find / -xdev -path /var/lib/containerd -prune -o \( -perm -4000 -o -perm -2000 \) -type f -print | sort); do echo "Found file with setuid/setgid configured: $file";rule="$(auditctl -l | grep "$file ")";echo "Audit Rule Result: $rule";echo ""; done Example output: Found file with setuid/setgid configured: /usr/bin/chage Audit Rule Result: -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged Found file with setuid/setgid configured: /usr/bin/chfn Audit Rule Result: -a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged If each file returned does not have a corresponding audit rule, this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016. Note: auid!=-1, auid!=4294967295, auid!=unset are functionally equivalent in this check and the output of the above commands may be displayed in either format.
Run the following steps for each file found in the check that does not have a corresponding line in the audit rules: Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add the following line: -a always,exit -F path=<path> -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged Run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.
At the command line, run the following commands to verify accounts are locked until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made: # grep '^unlock_time =' /etc/security/faillock.conf Example result: unlock_time = 0 If the "unlock_time" option is not set to "0", is missing or commented out, this is a finding.
Navigate to and open: /etc/security/faillock.conf Add or update the following lines: unlock_time = 0 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify auditd is configured to keep a number of audit logs in the event of a central log processing failure: # grep -E "^num_logs|^max_log_file_action" /etc/audit/auditd.conf Example result: num_logs = 5 max_log_file_action = ROTATE If "num_logs" is not configured to "5" or greater, this is a finding. If "max_log_file_action" is not configured to "ROTATE", this is a finding.
Navigate to and open: /etc/audit/auditd.conf Ensure the following lines are present, not duplicated, and not commented: num_logs = 5 max_log_file_action = ROTATE At the command line, run the following command: # pkill -SIGHUP auditd
At the command line, run the following command to verify auditd is alerting when low disk space is detected: # grep '^space_left' /etc/audit/auditd.conf Expected result: space_left = 25% space_left_action = SYSLOG If the output does not match the expected result, this is a finding.
Navigate to and open: /etc/audit/auditd.conf Ensure the "space_left" and "space_left_action" lines are uncommented and set to the following: space_left = 25% space_left_action = SYSLOG At the command line, run the following command: # pkill -SIGHUP auditd
At the command line, run the following command to verify software packages are cryptographically verified during installation: # grep '^gpgcheck' /etc/tdnf/tdnf.conf Example result: gpgcheck=1 If "gpgcheck" is not set to "true", "1", or "yes", this is a finding.
Navigate to and open: /etc/tdnf/tdnf.conf Add or update the following line: gpgcheck=1
At the command line, run the following commands to verify users with a set password are not allowed to sudo without reauthentication: # grep -ihs nopasswd /etc/sudoers /etc/sudoers.d/*|grep -vE '(^#|^%)' # awk -F: '($2 != "x" && $2 != "!") {print $1}' /etc/shadow If any account listed in the first output is also listed in the second output and is not documented, this is a finding.
Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command: # visudo OR # visudo -f /etc/sudoers.d/<file name> Remove any occurrences of "NOPASSWD" tags associated with user accounts with a password hash.
At the command line, run the following command to verify address space layout randomization is enabled: # cat /proc/sys/kernel/randomize_va_space If the value of "randomize_va_space" is not "2", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following line: kernel.randomize_va_space=2 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command: # grep -i '^clean_requirements_on_remove' /etc/tdnf/tdnf.conf Example result: clean_requirements_on_remove=1 If "clean_requirements_on_remove" is not set to "true", "1", or "yes", this is a finding.
Navigate to and open: /etc/tdnf/tdnf.conf Add or update the following line: clean_requirements_on_remove=1
At the command line, run the following command to verify an audit rule exists to audit logon attempts: # auditctl -l | grep -E "faillog|lastlog|tallylog" Expected result: -w /var/log/faillog -p wa -k logons -w /var/log/lastlog -p wa -k logons -w /var/log/tallylog -p wa -k logons If the output does not match the expected result, this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016.
Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -w /var/log/faillog -p wa -k logons -w /var/log/lastlog -p wa -k logons -w /var/log/tallylog -p wa -k logons At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.
At the command line, run the following command to verify an audit rule exists to audit kernel modules: # auditctl -l | grep init_module Expected result: -a always,exit -F arch=b32 -S init_module -F key=modules -a always,exit -F arch=b64 -S init_module -F key=modules If the output does not match the expected result, this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016.
Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -a always,exit -F arch=b32 -S init_module -F key=modules -a always,exit -F arch=b64 -S init_module -F key=modules At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.
At the command line, run the following command to verify FIPS is enabled for the OS: # cat /proc/sys/crypto/fips_enabled Example result: 1 If "fips_enabled" is not set to "1", this is a finding.
Navigate to and open: /boot/grub2/grub.cfg Locate the boot command line arguments. An example follows: linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline Add "fips=1" to the end of the line so it reads as follows: linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline fips=1 Note: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append "fips=1" to it. Reboot the system for the change to take effect.
At the command line, run the following command to verify passwords do not match dictionary words: # grep '^password.*pam_pwquality.so' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 If the "dictcheck" option is not set to 1, is missing or commented out, this is a finding.
Navigate to and open: /etc/pam.d/system-password Configure the pam_pwquality.so line to have the "dictcheck" option set to "1" as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify a four second delay is configured between logon attempts: # grep '^FAIL_DELAY' /etc/login.defs Example result: FAIL_DELAY 4 If the "FAIL_DELAY" option is not set to 4 or more, is missing or commented out, this is a finding.
Navigate to and open: /etc/login.defs Add or update the following line: FAIL_DELAY 4
At the command line, run the following command to verify auditd is configured to flush audit events to disk regularly: # grep -E "freq|flush" /etc/audit/auditd.conf Example result: flush = INCREMENTAL_ASYNC freq = 50 If "flush" is not set to "INCREMENTAL_ASYNC", this is a finding. If "freq" is not set to "50", this is a finding.
Navigate to and open: /etc/audit/auditd.conf Add or update the following lines: flush = INCREMENTAL_ASYNC freq = 50 At the command line, run the following command: # pkill -SIGHUP auditd
At the command line, run the following command to verify the default umask configuration: # grep '^UMASK' /etc/login.defs Expected result: UMASK 077 If the "UMASK" option is not set to "077", is missing or commented out, this is a finding.
Navigate to and open: /etc/login.defs Add or update the following line: UMASK 077
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i HostbasedAuthentication Example result: hostbasedauthentication no If "HostbasedAuthentication" is not set to "no", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "HostbasedAuthentication" line is uncommented and set to the following: HostbasedAuthentication no At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following commands to verify the pam_faillock.so module is used: # grep '^auth' /etc/pam.d/system-auth Example result: auth required pam_faillock.so preauth auth required pam_unix.so auth required pam_faillock.so authfail If the pam_faillock.so module is not present with the "preauth" line listed before pam_unix.so, this is a finding. If the pam_faillock.so module is not present with the "authfail" line listed after pam_unix.so, this is a finding. # grep '^account' /etc/pam.d/system-account Example result: account required pam_faillock.so account required pam_unix.so If the pam_faillock.so module is not present and listed before pam_unix.so, this is a finding.
Navigate to and open: /etc/pam.d/system-auth Add or update the following lines making sure to place the preauth line before the pam_unix.so module: auth required pam_faillock.so preauth auth required pam_faillock.so authfail Navigate to and open: /etc/pam.d/system-account Add or update the following lines making sure to place the line before the pam_unix.so module: account required pam_faillock.so Note: The lines shown assume the /etc/security/faillock.conf file is used to configure pam_faillock. Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify account information is not leaked during the login process: # grep '^silent' /etc/security/faillock.conf Example result: silent If the "silent" option is not set, is missing or commented out, this is a finding. Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.
Navigate to and open: /etc/security/faillock.conf Add or update the following lines: silent Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify that audit logon attempts for unknown users is performed: # grep '^audit' /etc/security/faillock.conf Example result: audit If the "audit" option is not set, is missing or commented out, this is a finding. Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.
Navigate to and open: /etc/security/faillock.conf Add or update the following lines: audit Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify accounts are locked after three consecutive invalid logon attempts by a user during a 15-minute time period includes the root account: # grep '^even_deny_root' /etc/security/faillock.conf Example result: even_deny_root If the "even_deny_root" option is not set, is missing or commented out, this is a finding. Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.
Navigate to and open: /etc/security/faillock.conf Add or update the following lines: even_deny_root Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify account locking persists lockouts between system reboots: # grep '^dir' /etc/security/faillock.conf Example result: dir = /var/log/faillock If the "dir" option is set to "/var/run/faillock", this is a finding. If the "dir" option is not set to a persistent documented faillock directory, is missing or commented out, this is a finding. Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files.
Navigate to and open: /etc/security/faillock.conf Add or update the following lines: dir = /var/log/faillock Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify the pam_pwquality.so module is used: # grep '^password' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 password required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok password required pam_unix.so sha512 use_authtok shadow try_first_pass If the pam_pwquality.so module is not present, this is a finding.
Navigate to and open: /etc/pam.d/system-password Add or update the pam_pwquality.so module line as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: The line must be configured before pam_pwhistory.so. Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify software packages are cryptographically verified during installation: # grep gpgcheck /etc/yum.repos.d/* If "gpgcheck" is not set to "1" in any returned file, this is a finding.
Open the file where "gpgcheck" is not set to 1 with a text editor. Add or update the following line: gpgcheck=1
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i SyslogFacility Example result: syslogfacility AUTHPRIV If "syslogfacility" is not set to "AUTH" or "AUTHPRIV", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "SyslogFacility" line is uncommented and set to the following: SyslogFacility AUTHPRIV At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i LogLevel Example result: loglevel INFO If "LogLevel" is not set to "INFO", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "LogLevel" line is uncommented and set to the following: LogLevel INFO At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i ClientAliveCountMax Expected result: clientalivecountmax 0 If "ClientAliveCountMax" is not set to "0", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "ClientAliveCountMax" line is uncommented and set to the following: ClientAliveCountMax 0 At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify an audit rule exists to audit account modifications: # auditctl -l | grep -E "(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)" Expected result: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/gshadow -p wa -k gshadow If the output does not match the expected result, this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016.
Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/gshadow -p wa -k gshadow At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.
At the command line, run the following command to verify the pam_faildelay.so module is used: # grep '^auth' /etc/pam.d/system-auth Example result: auth required pam_faillock.so preauth auth required pam_unix.so auth required pam_faillock.so authfail auth optional pam_faildelay.so delay=4000000 If the pam_faildelay.so module is not present with the delay set to at least four seconds, this is a finding. Note: The delay is configured in milliseconds.
Navigate to and open: /etc/pam.d/system-auth Add or update the following line: auth optional pam_faildelay.so delay=4000000 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i PermitEmptyPasswords Example result: permitemptypasswords no If "PermitEmptyPasswords" is not set to "no", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "PermitEmptyPasswords" line is uncommented and set to the following: PermitEmptyPasswords no At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i PermitUserEnvironment Example result: permituserenvironment no If "PermitUserEnvironment" is not set to "no", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "PermitUserEnvironment" line is uncommented and set to the following: PermitUserEnvironment no At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify a home directory is created for all new user accounts: # grep '^CREATE_HOME' /etc/login.defs Example result: CREATE_HOME yes If the "CREATE_HOME" option is not set to "yes", is missing or commented out, this is a finding.
Navigate to and open: /etc/login.defs Add or update the following line: CREATE_HOME yes
At the command line, run the following command to verify the debug-shell service is disabled: # systemctl status debug-shell.service If the debug-shell service is not stopped and disabled, this is a finding.
At the command line, run the following commands: # systemctl stop debug-shell.service # systemctl disable debug-shell.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i GSSAPIAuthentication Example result: gssapiauthentication no If "GSSAPIAuthentication" is not set to "no", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "GSSAPIAuthentication" line is uncommented and set to the following: GSSAPIAuthentication no At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i X11Forwarding Example result: x11forwarding no If "X11Forwarding" is not set to "no", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "X11Forwarding" line is uncommented and set to the following: X11Forwarding no At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i StrictModes Example result: strictmodes yes If "StrictModes" is not set to "yes", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "StrictModes" line is uncommented and set to the following: StrictModes yes At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i KerberosAuthentication Example result: kerberosauthentication no If "KerberosAuthentication" is not set to "no", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "KerberosAuthentication" line is uncommented and set to the following: KerberosAuthentication no At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i Compression Example result: compression no If there is no output or if "Compression" is not set to "delayed" or "no", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "Compression" line is uncommented and set to the following: Compression no At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i PrintLastLog Example result: printlastlog yes If "PrintLastLog" is not set to "yes", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "PrintLastLog" line is uncommented and set to the following: PrintLastLog yes At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i IgnoreRhosts Example result: ignorerhosts yes If "IgnoreRhosts" is not set to "yes", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "IgnoreRhosts" line is uncommented and set to the following: IgnoreRhosts yes At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i IgnoreUserKnownHosts Expected result: ignoreuserknownhosts yes If "IgnoreUserKnownHosts" is not set to "yes", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "IgnoreUserKnownHosts" line is uncommented and set to the following: IgnoreUserKnownHosts yes At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i MaxAuthTries Example result: maxauthtries 6 If "MaxAuthTries" is not set to "6", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "MaxAuthTries" line is uncommented and set to the following: MaxAuthTries 6 At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i AllowTcpForwarding Example result: allowtcpforwarding no If "AllowTcpForwarding" is not set to "no", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "AllowTcpForwarding" line is uncommented and set to the following: AllowTcpForwarding no At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i LoginGraceTime Example result: logingracetime 30 If "LoginGraceTime" is not set to "30", this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "LoginGraceTime" line is uncommented and set to the following: LoginGraceTime 30 At the command line, run the following command: # systemctl restart sshd.service
At the command line, run the following command to verify the ctrl-alt-del target is disabled and masked: # systemctl status ctrl-alt-del.target --no-pager Example output: ctrl-alt-del.target Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) Active: inactive (dead) If the "ctrl-alt-del.target" is not "inactive" and "masked", this is a finding.
At the command line, run the following commands: # systemctl disable ctrl-alt-del.target # systemctl mask ctrl-alt-del.target # systemctl daemon-reload
At the command line, run the following command to verify source-routed packets are not forwarded: # /sbin/sysctl -a --pattern "net.ipv[4|6].conf.(all|default).accept_source_route" Expected result: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 If the "accept_source_route" kernel parameters are not set to "0", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following lines: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to verify ICMP echoes sent to a broadcast address are ignored: # /sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts Example result: net.ipv4.icmp_echo_ignore_broadcasts = 1 If the "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter is not set to "1", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following line: net.ipv4.icmp_echo_ignore_broadcasts = 1 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to verify ICMP redirects are not accepted: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default).accept_redirects" Expected result: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 If the "accept_redirects" kernel parameters are not set to "0", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following lines: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to verify ICMP secure redirects are not accepted: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default).secure_redirects" Expected result: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 If the "secure_redirects" kernel parameters are not set to "0", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following lines: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to verify ICMP send redirects are not accepted: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default).send_redirects" Expected result: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 If the "send_redirects" kernel parameters are not set to "0", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following lines: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to verify martian packets are logged: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default).log_martians" Expected result: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 If the "log_martians" kernel parameters are not set to "1", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following lines: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to verify IPv4 traffic is using a reverse path filter: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default).rp_filter" Expected result: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 If the "rp_filter" kernel parameters are not set to "1", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following lines: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
If IP forwarding is required, for example if Kubernetes is installed, this is Not Applicable. At the command line, run the following command to verify packet forwarding it disabled: # /sbin/sysctl net.ipv4.ip_forward Expected result: net.ipv4.ip_forward = 0 If the "net.ipv4.ip_forward" kernel parameter is not set to "0", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following line: net.ipv4.ip_forward = 0 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to verify TCP timestamps are enabled: # /sbin/sysctl net.ipv4.tcp_timestamps Expected result: net.ipv4.tcp_timestamps = 1 If the "net.ipv4.tcp_timestamps" kernel parameter is not set to "1", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following line: net.ipv4.tcp_timestamps = 1 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/*key.pub Example result: /etc/ssh/ssh_host_dsa_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_ecdsa_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_ed25519_key.pub permissions are 644 and owned by root:root /etc/ssh/ssh_host_rsa_key.pub permissions are 644 and owned by root:root If any "key.pub" file listed is not owned by root or not group owned by root or does not have permissions of "0644", this is a finding.
At the command line, run the following commands for each returned file: # chmod 644 <file> # chown root:root <file> # systemctl restart sshd.service
At the command line, run the following command: # stat -c "%n permissions are %a and owned by %U:%G" /etc/ssh/*key Example result: /etc/ssh/ssh_host_dsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ecdsa_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_ed25519_key permissions are 600 and owned by root:root /etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root:root If any key file listed is not owned by root or not group owned by root or does not have permissions of "0600", this is a finding.
At the command line, run the following commands for each returned file: # chmod 600 <file> # chown root:root <file> # systemctl restart sshd.service
At the command line, run the following command to verify password complexity is enforced for the root account: # grep '^password.*pam_pwquality.so' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 If the "enforce_for_root" option is missing or commented out, this is a finding.
Navigate to and open: /etc/pam.d/system-password Configure the pam_pwquality.so line to have the "enforce_for_root" option present as follows: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify systemd fallback DNS is disabled: # resolvectl status | grep '^Fallback DNS' If the output indicates that Fallback DNS servers are configured, this is a finding.
Navigate to and open: /etc/systemd/resolved.conf Add or update the "FallbackDNS" entry to the following: FallbackDNS= Restart the Systemd resolved service by running the following command: # systemctl restart systemd-resolved Note: If this option is not given, a compiled-in list of DNS servers is used instead, which is undesirable.
At the command line, run the following command to verify an audit rule exists to audit the opasswd file: # auditctl -l | grep -E /etc/security/opasswd Expected result: -w /etc/security/opasswd -p wa -k opasswd If the opasswd file is not monitored for access or writes, this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016.
Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -w /etc/security/opasswd -p wa -k opasswd At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one.
At the command line, run the following command to verify the running configuration of sshd: # sshd -T|&grep -i MACs Example result: macs hmac-sha2-512,hmac-sha2-256 If the output matches the macs in the example result or a subset thereof, this is not a finding. If the output contains any macs not listed in the example result, this is a finding.
Navigate to and open: /etc/ssh/sshd_config Ensure the "MACs" line is uncommented and set to the following: MACs hmac-sha2-512,hmac-sha2-256 At the command line, run the following command: # systemctl restart sshd.service
If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable. At the command line, run the following command to verify rsyslog is enabled and running: # systemctl status rsyslog If the rsyslog service is not enabled and running, this is a finding.
At the command line, run the following commands: # systemctl enable rsyslog # systemctl start rsyslog
At the command line, run the following command to verify the pam_pwhistory.so module is used: # grep '^password' /etc/pam.d/system-password Example result: password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=15 difok=8 enforce_for_root dictcheck=1 password required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok password required pam_unix.so sha512 use_authtok shadow try_first_pass If the "pam_pwhistory.so" module is not present, this is a finding. If "use_authtok" is not present for the "pam_pwhistory.so" module, this is a finding. If "conf" or "file" are present for the "pam_pwhistory.so" module, this is a finding.
Navigate to and open: /etc/pam.d/system-password Add or update the pam_pwhistory.so module line as follows: password required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok Note: The line must be configured after pam_pwquality.so. Note: On vCenter appliances, the equivalent file must be edited under "/etc/applmgmt/appliance", if one exists, for the changes to persist after a reboot.
At the command line, run the following command to verify hardlink protection is enabled: # /sbin/sysctl fs.protected_hardlinks Example result: fs.protected_hardlinks = 1 If the "fs.protected_hardlinks" kernel parameter is not set to "1", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following line: fs.protected_hardlinks = 1 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.
At the command line, run the following command to verify core dumps are restricted: # /sbin/sysctl fs.suid_dumpable Example result: fs.suid_dumpable = 0 If the "fs.suid_dumpable" kernel parameter is not set to "0", this is a finding.
Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following line: fs.suid_dumpable = 0 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.