_____________________________________________________________ Group ID (Vulid): V-71849 Group Title: SRG-OS-000257-GPOS-00098 Rule ID: SV-86473r2_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-010010 Rule Title: The file permissions, ownership, and group membership of system files and commands must match the vendor values. Vulnerability Discussion: Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default. Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108 -- _____________________________________________________________ Group ID (Vulid): V-71855 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86479r2_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-010020 Rule Title: The cryptographic hash of system files and commands must match vendor values. Vulnerability Discussion: Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. -- _____________________________________________________________ Group ID (Vulid): V-71937 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86561r2_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-010290 Rule Title: The system must not have accounts configured with blank or null passwords. Vulnerability Discussion: If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. -- _____________________________________________________________ Group ID (Vulid): V-71939 Group Title: SRG-OS-000106-GPOS-00053 Rule ID: SV-86563r2_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-010300 Rule Title: The SSH daemon must not allow authentication using an empty password. Vulnerability Discussion: Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere. -- _____________________________________________________________ Group ID (Vulid): V-71953 Group Title: SRG-OS-000480-GPOS-00229 Rule ID: SV-86577r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-010440 Rule Title: The operating system must not allow an unattended or automatic logon to the system via a graphical user interface. Vulnerability Discussion: Failure to restrict system access to authenticated users negatively impacts operating system security. -- _____________________________________________________________ Group ID (Vulid): V-71955 Group Title: SRG-OS-000480-GPOS-00229 Rule ID: SV-86579r2_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-010450 Rule Title: The operating system must not allow an unrestricted logon to the system. Vulnerability Discussion: Failure to restrict system access to authenticated users negatively impacts operating system security. -- _____________________________________________________________ Group ID (Vulid): V-71961 Group Title: SRG-OS-000080-GPOS-00048 Rule ID: SV-86585r4_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-010480 Rule Title: Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. Vulnerability Discussion: If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. -- _____________________________________________________________ Group ID (Vulid): V-71963 Group Title: SRG-OS-000080-GPOS-00048 Rule ID: SV-86587r3_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-010490 Rule Title: Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. Vulnerability Discussion: If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. -- _____________________________________________________________ Group ID (Vulid): V-71967 Group Title: SRG-OS-000095-GPOS-00049 Rule ID: SV-86591r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020000 Rule Title: The rsh-server package must not be installed. Vulnerability Discussion: It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -- _____________________________________________________________ Group ID (Vulid): V-71969 Group Title: SRG-OS-000095-GPOS-00049 Rule ID: SV-86593r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020010 Rule Title: The ypserv package must not be installed. Vulnerability Discussion: Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. -- _____________________________________________________________ Group ID (Vulid): V-71977 Group Title: SRG-OS-000366-GPOS-00153 Rule ID: SV-86601r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020050 Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. Vulnerability Discussion: Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. -- _____________________________________________________________ Group ID (Vulid): V-71979 Group Title: SRG-OS-000366-GPOS-00153 Rule ID: SV-86603r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020060 Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. Vulnerability Discussion: Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. -- _____________________________________________________________ Group ID (Vulid): V-71981 Group Title: SRG-OS-000366-GPOS-00153 Rule ID: SV-86605r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020070 Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata. Vulnerability Discussion: Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. -- _____________________________________________________________ Group ID (Vulid): V-71989 Group Title: SRG-OS-000445-GPOS-00199 Rule ID: SV-86613r2_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020210 Rule Title: The operating system must enable SELinux. Vulnerability Discussion: Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. -- _____________________________________________________________ Group ID (Vulid): V-71991 Group Title: SRG-OS-000445-GPOS-00199 Rule ID: SV-86615r3_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020220 Rule Title: The operating system must enable the SELinux targeted policy. Vulnerability Discussion: Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. -- _____________________________________________________________ Group ID (Vulid): V-71993 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86617r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020230 Rule Title: The x86 Ctrl-Alt-Delete key sequence must be disabled. Vulnerability Discussion: A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. -- _____________________________________________________________ Group ID (Vulid): V-71997 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86621r2_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020250 Rule Title: The operating system must be a vendor supported release. Vulnerability Discussion: An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. -- _____________________________________________________________ Group ID (Vulid): V-72005 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86629r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020310 Rule Title: The root account must be the only account having unrestricted access to the system. Vulnerability Discussion: If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account. -- _____________________________________________________________ Group ID (Vulid): V-72067 Group Title: SRG-OS-000033-GPOS-00014 Rule ID: SV-86691r3_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-021350 Rule Title: The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Vulnerability Discussion: Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223 -- _____________________________________________________________ Group ID (Vulid): V-72077 Group Title: SRG-OS-000095-GPOS-00049 Rule ID: SV-86701r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-021710 Rule Title: The telnet-server package must not be installed. Vulnerability Discussion: It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -- _____________________________________________________________ Group ID (Vulid): V-72079 Group Title: SRG-OS-000038-GPOS-00016 Rule ID: SV-86703r2_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-030000 Rule Title: Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users. Vulnerability Discussion: Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. -- _____________________________________________________________ Group ID (Vulid): V-72213 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86837r2_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-032000 Rule Title: The system must use a virus scan program. Vulnerability Discussion: Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. -- _____________________________________________________________ Group ID (Vulid): V-72251 Group Title: SRG-OS-000074-GPOS-00042 Rule ID: SV-86875r3_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-040390 Rule Title: The SSH daemon must be configured to only use the SSHv2 protocol. Vulnerability Discussion: SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227 -- _____________________________________________________________ Group ID (Vulid): V-72277 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86901r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-040540 Rule Title: There must be no .shosts files on the system. Vulnerability Discussion: The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. -- _____________________________________________________________ Group ID (Vulid): V-72279 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86903r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-040550 Rule Title: There must be no shosts.equiv files on the system. Vulnerability Discussion: The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. -- _____________________________________________________________ Group ID (Vulid): V-72299 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86923r2_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-040690 Rule Title: A File Transfer Protocol (FTP) server package must not be installed unless needed. Vulnerability Discussion: The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. -- _____________________________________________________________ Group ID (Vulid): V-72301 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86925r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-040700 Rule Title: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support. Vulnerability Discussion: If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established. -- _____________________________________________________________ Group ID (Vulid): V-72303 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86927r3_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-040710 Rule Title: Remote X connections for interactive users must be encrypted. Vulnerability Discussion: Open X displays allow an attacker to capture keystrokes and execute commands remotely. -- _____________________________________________________________ Group ID (Vulid): V-72313 Group Title: SRG-OS-000480-GPOS-00227 Rule ID: SV-86937r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-040800 Rule Title: SNMP community strings must be changed from the default. Vulnerability Discussion: Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.