xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig

Guide to the Secure Configuration of Red Hat Enterprise Linux 9

with profile DISA STIG for Red Hat Enterprise Linux 9
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 9 V1R3. In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 9 image

The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 9. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	localhost
Benchmark URL	#scap_org.open-scap_comp_ssg-rhel9-xccdf.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-9
Benchmark version	0.1.74
Profile ID	xccdf_org.ssgproject.content_profile_stig
Started at	2024-10-17T12:50:08-06:00
Finished at	2024-10-17T12:50:08-06:00
Performed by	lark
Test system	cpe:/a:redhat:openscap:1.3.10

CPE Platforms

cpe:/o:redhat:enterprise_linux:9

Addresses

IPv4 127.0.0.1
IPv4 192.168.86.41
IPv6 0:0:0:0:0:0:0:1
IPv6 fe80:0:0:0:5054:ff:fe3f:38cf
MAC 00:00:00:00:00:00
MAC 52:54:00:3F:38:CF

Compliance and Scoring

There were no failed rules, but the results of 1 rules were inconclusive! Please review rule results and consider applying remediation.

Rule results

0 passed

0 failed

1 other

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	0.000000	100.000000	0%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat Enterprise Linux 9 1x error
Services 1x error
SSH Server 1x error
Configure OpenSSH Server if Necessary 1x error
Enable SSH Server firewalld Firewall Exception	medium	error

Result Details

Enable SSH Server firewalld Firewall Exception

Rule ID xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled

Result

error

Multi-check rule no

OVAL Definition ID oval:ssg-firewalld_sshd_port_enabled:def:1

Time 2024-10-17T12:50:08-06:00

Severity medium

Identifiers:

CCE-89175-4

References:

cui	3.1.12
ism	1416
nist	AC-17(a), CM-6(b), CM-7(a), CM-7(b)
os-srg	SRG-OS-000096-GPOS-00050
stigid	RHEL-09-251035
stigref	SV-257940r925807_rule

Description

If the SSH server is in use, inbound connections to SSH's port should be allowed to permit remote access through SSH. In more restrictive firewalld settings, the SSH port should be added to the proper firewalld zone in order to allow SSH remote access.

To configure firewalld to allow ssh access, run the following command(s):

firewall-cmd --permanent --add-service=ssh

Then run the following command to load the newly created rule(s):

firewall-cmd --reload

Rationale

If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone will allow remote access through the SSH port.

Warnings

warning The remediation for this rule uses firewall-cmd and nmcli tools. Therefore, it will only be executed if firewalld and NetworkManager services are running. Otherwise, the remediation will be aborted and a informative message will be shown in the remediation report. These respective services will not be started in order to preserve any intentional change in network components related to firewall and network interfaces.

warning This rule also checks if the SSH port was modified by the administrator in the firewalld services definitions and is reflecting the expected port number. Although this is checked, fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it is not in the scope of the remediation since there is no reliable way to manually change the respective file. If the default SSH port is modified, it is on the administrator responsibility to ensure the firewalld customizations in the service port level are properly configured.

warning Red Hat Enterprise Linux 9 prefers and recommends to use NetworkManager keyfiles instead of the ifcfg files stored in /etc/sysconfig/network-scripts. Therefore, if the system was upgraded from a previous release, make sure the NIC configuration files are properly migrated from ifcfg format to NetworkManager keyfiles. Otherwise, this rule won't be able to check the configuration. The migration can be accomplished by nmcli connection migrate command.

Evaluation messages

info

Fix execution completed and returned: 0

info

active
active
Warning: ALREADY_ENABLED: 'ssh' already in 'public'
success
Warning: ALREADY_ENABLED: ssh
success
success

info

Failed to verify applied fix: Checking engine returns: fail

Remediation Shell script ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "firewalld" ; then
    dnf install -y "firewalld"
fi
if ! rpm -q --quiet "NetworkManager" ; then
    dnf install -y "NetworkManager"
fi
firewalld_sshd_zone='public'


if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
    # TODO: NM (nmcli) now has --offline mode support, and it could operate without NM service.
    # See: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1183
    # The feature is not quite straighforward (and probably incomplete), though.
    echo "Not applicable in offline mode. Remediation aborted!"
else
    if systemctl is-active NetworkManager && systemctl is-active firewalld; then
        # First make sure the SSH service is enabled in run-time for the proper zone.
        # This is to avoid connection issues when new interfaces are addeded to this zone.
        firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh

        # This will collect all NetworkManager connections names
        readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }')
        # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
        # This will not change connections which are already assigned to any firewalld zone.
        for connection in "${nm_connections[@]}"; do
            current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
            if [ $current_zone = "--" ]; then
                nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
            fi
        done
        systemctl restart NetworkManager

        # Active zones are zones with at least one interface assigned to it.
        # It is possible that traffic is comming by any active interface and consequently any
        # active zone. So, this make sure all active zones are permanently allowing SSH service.
        readarray -t firewalld_active_zones < <(firewall-cmd --get-active-zones | grep -v interfaces)
        for zone in "${firewalld_active_zones[@]}"; do
            firewall-cmd --permanent --zone="$zone" --add-service=ssh
        done
        firewall-cmd --reload
    else
        echo "The firewalld or NetworkManager service is not active. Remediation aborted!"
    fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Remediation Ansible snippet ⇲

Complexity:	low
Disruption:	low
Reboot:	false
Strategy:	configure

- name: XCCDF Value firewalld_sshd_zone # promote to variable
  set_fact:
    firewalld_sshd_zone: !!str public
  tags:
    - always

- name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld and NetworkManager
    packages are installed
  ansible.builtin.package:
    name: '{{ item }}'
    state: present
  with_items:
  - firewalld
  - NetworkManager
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-89175-4
  - DISA-STIG-RHEL-09-251035
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Enable SSH Server firewalld Firewall Exception - Collect facts about system
    services
  ansible.builtin.service_facts: null
  register: result_services_states
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-89175-4
  - DISA-STIG-RHEL-09-251035
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Enable SSH Server firewalld Firewall Exception - Remediation is applicable
    if firewalld and NetworkManager services are running
  block:

  - name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
      connections names
    ansible.builtin.shell:
      cmd: nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }'
    register: result_nmcli_cmd_connections_names
    changed_when: false

  - name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
      connections zones
    ansible.builtin.shell:
      cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print
        $2}'
    register: result_nmcli_cmd_connections_zones
    changed_when: false
    with_items:
    - '{{ result_nmcli_cmd_connections_names.stdout_lines }}'

  - name: Enable SSH Server firewalld Firewall Exception - Ensure NetworkManager connections
      are assigned to a firewalld zone
    ansible.builtin.command:
      cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone
        }}
    register: result_nmcli_cmd_connections_assignment
    with_together:
    - '{{ result_nmcli_cmd_connections_names.stdout_lines }}'
    - '{{ result_nmcli_cmd_connections_zones.results }}'
    when:
    - item.1.stdout == '--'

  - name: Enable SSH Server firewalld Firewall Exception - Ensure NetworkManager connections
      changes are applied
    ansible.builtin.service:
      name: NetworkManager
      state: restarted
    when:
    - result_nmcli_cmd_connections_assignment is changed

  - name: Enable SSH Server firewalld Firewall Exception - Collect firewalld active
      zones
    ansible.builtin.shell:
      cmd: firewall-cmd --get-active-zones | grep -v interfaces
    register: result_firewall_cmd_zones_names
    changed_when: false

  - name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld zones
      allow SSH
    ansible.builtin.command:
      cmd: firewall-cmd --permanent --zone={{ item }} --add-service=ssh
    register: result_nmcli_cmd_connections_assignment
    changed_when:
    - '''ALREADY_ENABLED'' not in result_nmcli_cmd_connections_assignment.stderr'
    with_items:
    - '{{ result_firewall_cmd_zones_names.stdout_lines }}'

  - name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld changes
      are applied
    ansible.builtin.service:
      name: firewalld
      state: reloaded
    when:
    - result_nmcli_cmd_connections_assignment is changed
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.services['firewalld.service'].state == 'running'
  - ansible_facts.services['NetworkManager.service'].state == 'running'
  tags:
  - CCE-89175-4
  - DISA-STIG-RHEL-09-251035
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Enable SSH Server firewalld Firewall Exception - Informative message based
    on services states
  ansible.builtin.assert:
    that:
    - ansible_facts.services['firewalld.service'].state == 'running'
    - ansible_facts.services['NetworkManager.service'].state == 'running'
    fail_msg:
    - firewalld and NetworkManager services are not active. Remediation aborted!
    - This remediation could not be applied because it depends on firewalld and NetworkManager
      services running.
    - The service is not started by this remediation in order to prevent connection
      issues.
    success_msg:
    - Enable SSH Server firewalld Firewall Exception remediation successfully executed
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-89175-4
  - DISA-STIG-RHEL-09-251035
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

OVAL test results details

All NICs must have a firewalld zone defined in their settings oval:ssg-test_firewalld_sshd_port_enabled_all_nics_in_zones:tst:1 true

Following items have been found on the system:

Result of item-state comparison	Var ref	Value
true	oval:ssg-var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count:var:1	1

SSH service is defined in all zones delivered in the firewalld package oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_usr:tst:1 true

Following items have been found on the system:

Result of item-state comparison	Filepath	Path	Filename	Xpath
not evaluated	/usr/lib/firewalld/zones/dmz.xml	/usr/lib/firewalld/zones	dmz.xml	/zone/service[@name='ssh']
not evaluated	/usr/lib/firewalld/zones/external.xml	/usr/lib/firewalld/zones	external.xml	/zone/service[@name='ssh']
not evaluated	/usr/lib/firewalld/zones/internal.xml	/usr/lib/firewalld/zones	internal.xml	/zone/service[@name='ssh']
not evaluated	/usr/lib/firewalld/zones/home.xml	/usr/lib/firewalld/zones	home.xml	/zone/service[@name='ssh']
not evaluated	/usr/lib/firewalld/zones/work.xml	/usr/lib/firewalld/zones	work.xml	/zone/service[@name='ssh']
not evaluated	/usr/lib/firewalld/zones/public.xml	/usr/lib/firewalld/zones	public.xml	/zone/service[@name='ssh']

there is no equivalent zone file defined by the administrator in /etc dir oval:ssg-test_firewalld_sshd_port_enabled_usr_zones_not_overridden:tst:1 false

Following items have been found on the system:

Result of item-state comparison	Path	Type	UID	GID	Size (B)	Permissions
not evaluated	/etc/firewalld/zones/public.xml	regular	0	0	356	`rw-r--r--`
not evaluated	/etc/firewalld/zones/dmz.xml	regular	0	0	282	`rw-r--r--`

SSH service is defined in all zones created or modified by the administrator oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc:tst:1 false

Following items have been found on the system:

Result of item-state comparison	Var ref	Value
false	oval:ssg-var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count:var:1	1

SSH service is interger in the /usr/lib/firewalld/services dir oval:ssg-test_firewalld_sshd_port_enabled_ssh_service_usr:tst:1 true

Following items have been found on the system:

Result of item-state comparison	Filepath	Path	Filename	Xpath
not evaluated	/usr/lib/firewalld/services/ssh.xml	/usr/lib/firewalld/services	ssh.xml	/service/port[@port='22']

SSH service is properly configured in /etc/firewalld/services dir oval:ssg-test_firewalld_sshd_port_enabled_ssh_service_etc:tst:1 true

No items have been found conforming to the following objects:

Object oval:ssg-object_firewalld_sshd_port_enabled_ssh_service_file_etc:obj:1 of type textfilecontent54_object

Filepath	Pattern	Instance
/etc/firewalld/services/ssh.xml	<port.*port="(\d+)"	1

Scroll back to the first rule

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.