xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig

Guide to the Secure Configuration of Red Hat Enterprise Linux 8

with profile DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R14. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	localhost
Benchmark URL	#scap_org.open-scap_comp_ssg-rhel8-xccdf.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version	0.1.73
Profile ID	xccdf_org.ssgproject.content_profile_stig
Started at	2024-08-07T12:37:42-05:00
Finished at	2024-08-07T12:37:42-05:00
Performed by	root
Test system	cpe:/a:redhat:openscap:1.3.10

CPE Platforms

cpe:/o:redhat:enterprise_linux:8.10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:8.0
cpe:/o:redhat:enterprise_linux:8.1
cpe:/o:redhat:enterprise_linux:8.2
cpe:/o:redhat:enterprise_linux:8.3
cpe:/o:redhat:enterprise_linux:8.4
cpe:/o:redhat:enterprise_linux:8.5
cpe:/o:redhat:enterprise_linux:8.6
cpe:/o:redhat:enterprise_linux:8.7
cpe:/o:redhat:enterprise_linux:8.8
cpe:/o:redhat:enterprise_linux:8.9

Addresses

IPv4 127.0.0.1
IPv4 192.168.86.34
IPv4 192.168.122.1
IPv6 0:0:0:0:0:0:0:1
IPv6 fe80:0:0:0:d4e:ed35:9d32:66af
MAC 00:00:00:00:00:00
MAC 52:54:00:5C:13:35
MAC 52:54:00:68:52:92

Compliance and Scoring

The target system did not satisfy the conditions of 1 rules! Please review rule results and consider applying remediation.

Rule results

0 passed

1 failed

0 other

Severity of failed rules

0 other

1 low

0 medium

0 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	0.000000	100.000000	0%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat Enterprise Linux 8 1x fail
System Accounting with auditd 1x fail
Enable Auditing for Processes Which Start Prior to the Audit Daemon	low	fail

Result Details

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Rule ID xccdf_org.ssgproject.content_rule_grub2_audit_argument

Result

fail

Multi-check rule no

OVAL Definition ID oval:ssg-grub2_audit_argument:def:1

Time 2024-08-07T12:37:42-05:00

Severity low

Identifiers:

CCE-80825-3

References:

cis	5.2.1.2
cis-csc	1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8
cjis	5.4.1.1
cobit5	APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
cui	3.3.1
disa	CCI-001464, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
hipaa	164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
isa-62443-2009	4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
isa-62443-2013	SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6
iso27001-2013	A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
nist	AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1)
nist-csf	DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
ospp	FAU_GEN.1
pcidss	Req-10.3
pcidss4	10.7.2
os-srg	SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095
stigid	RHEL-08-030601
stigref	SV-230468r792904_rule

Description

To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. To ensure that audit=1 is added as a kernel command line argument to newly installed kernels, add audit=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... audit=1 ..."

Run the following command to update command line for already installed kernels:

# grubby --update-kernel=ALL --args="audit=1"

Rationale

Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

Remediation Shell script ⇲

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then

grubby --update-kernel=ALL --args=audit=1 --env=/boot/grub2/grubenv

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	medium
Disruption:	low
Reboot:	true
Strategy:	restrict

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80825-3
  - CJIS-5.4.1.1
  - DISA-STIG-RHEL-08-030601
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-17(1)
  - NIST-800-53-AU-10
  - NIST-800-53-AU-14(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IR-5(1)
  - PCI-DSS-Req-10.3
  - PCI-DSSv4-10.7.2
  - grub2_audit_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="audit=1"
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"grub2-common" in ansible_facts.packages'
  tags:
  - CCE-80825-3
  - CJIS-5.4.1.1
  - DISA-STIG-RHEL-08-030601
  - NIST-800-171-3.3.1
  - NIST-800-53-AC-17(1)
  - NIST-800-53-AU-10
  - NIST-800-53-AU-14(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IR-5(1)
  - PCI-DSS-Req-10.3
  - PCI-DSSv4-10.7.2
  - grub2_audit_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

Remediation OSBuild Blueprint snippet ⇲

[customizations.kernel]
append = "audit=1"

OVAL test results details

check for kernel command line parameters audit=1 in /boot/grub2/grubenv for all kernels oval:ssg-test_grub2_audit_argument_grub_env:tst:1 true

Following items have been found on the system:

Result of item-state comparison	Path	Content
true	/boot/grub2/grubenv	kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet audit=1

check for kernel command line parameters audit=1 in /boot/efi/EFI/redhat/grubenv for all kernels oval:ssg-test_grub2_audit_argument_grub_env_uefi:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_audit_argument_grub_env_uefi:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/boot/efi/EFI/redhat/grubenv	^kernelopts=(.*)$	1

check kernel command line parameters for referenced boot entries reference the $kernelopts variable. oval:ssg-test_grub2_entries_reference_kernelopts:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_entries_reference_kernelopts:obj:1 of type textfilecontent54_object

Path	Filename	Pattern	Instance
/boot/loader/entries/	^.*\.conf$	^options(?:\s+.)?\s+\$kernelopts\b.$	1

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX oval:ssg-test_grub2_audit_argument:tst:1 true

Following items have been found on the system:

Result of item-state comparison	Path	Content
true	/etc/default/grub	GRUB_CMDLINE_LINUX="crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet audit=1"

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT oval:ssg-test_grub2_audit_argument_default:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_grub2_audit_argument_default:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/default/grub	^\sGRUB_CMDLINE_LINUX_DEFAULT="(.)"$	1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1 true

Following items have been found on the system:

Result of item-state comparison	Path	Content
true	/etc/default/grub	GRUB_DISABLE_RECOVERY="true"

Scroll back to the first rule

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.