-
Notifications
You must be signed in to change notification settings - Fork 813
This PR follows #14834 and continues addressing issue #8709. #14841
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,9 +2,9 @@ srg_requirement: |- | |
| {{{ full_name }}} must implement certificate status checking for multifactor authentication. | ||
|
|
||
| vuldiscussion: |- | ||
| Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content. |
||
| Using an authentication device, such as a hardware token or smart card that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. | ||
|
|
||
| Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. | ||
| Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card. | ||
|
|
||
| {{{ full_name }}} includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,7 +8,7 @@ description: |- | |
| default text with a message compliant with the local site policy or a legal | ||
| disclaimer. | ||
|
|
||
| The DoD required text is either: | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If we truly removing DOD specific content we should remove the required text., |
||
| The required text is either: | ||
| <br /><br /> | ||
| <tt>You are accessing a U.S. Government (USG) Information System (IS) that | ||
| is provided for USG-authorized use only. By using this IS (which includes | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,7 +8,7 @@ description: |- | |
| default text with a message compliant with the local site policy or a legal | ||
| disclaimer. | ||
|
|
||
| The DoD required text is either: | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same as |
||
| The required text is either: | ||
| <br /><br /> | ||
| <tt>You are accessing a U.S. Government (USG) Information System (IS) that | ||
| is provided for USG-authorized use only. By using this IS (which includes | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,10 +4,10 @@ | |
| title: 'Enable the SSH login confirmation banner' | ||
|
|
||
| description: |- | ||
| This rule verifies that that the SSH login confirmation banner is set | ||
| This rule verifies that that the SSH login confirmation banner is set | ||
| correctly. | ||
|
|
||
| The DoD required text is: | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same as |
||
| The required text is: | ||
| <br /><br /> | ||
| <tt>if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then<br/> | ||
| while true; do<br/> | ||
|
|
@@ -45,7 +45,7 @@ | |
| access to the operating system ensures privacy and security notification | ||
| verbiage used is consistent with applicable federal laws, Executive Orders, | ||
| directives, policies, regulations, standards, and guidance. | ||
|
|
||
| severity: medium | ||
|
|
||
| ocil_clause: 'it does not display the required banner' | ||
|
|
@@ -54,4 +54,4 @@ | |
| To check if the system motd banner is compliant, | ||
| run the following command: | ||
| <pre>$ less /etc/profile.d/ssh_confirm.sh</pre> | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,7 +8,7 @@ description: |- | |
| Replace the default text with a message compliant with the local site | ||
| policy or a legal disclaimer. | ||
|
|
||
| The DoD required text is either: | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same as |
||
| The required text is either: | ||
| <br /><br /> | ||
| <tt>You are accessing a U.S. Government (USG) Information System (IS) that | ||
| is provided for USG-authorized use only. By using this IS (which includes | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,7 +10,6 @@ vuldiscussion: |- | |
|
|
||
| The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. | ||
|
|
||
| The DoD minimum password requirement is 15 characters. | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks, and I will do the changes. |
||
|
|
||
| checktext: |- | ||
| Verify that {{{ full_name }}} enforces a minimum 15-character password length with the following command: | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,11 +3,11 @@ srg_requirement: |- | |
| {{{ full_name }}} pam_unix.so module must be configured in the system-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. | ||
|
|
||
| vuldiscussion: |- | ||
| Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. | ||
| Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and sensitive data may be compromised. | ||
|
|
||
| {{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. | ||
|
|
||
| FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content. |
||
| FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets organizational requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. | ||
|
|
||
| checktext: |- | ||
| Verify that the pam_unix.so module is configured to use yescrypt in /etc/pam.d/system-auth with the following command: | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,11 +2,11 @@ srg_requirement: |- | |
| {{{ full_name }}} pam_unix.so module must be configured in the system-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. | ||
|
|
||
| vuldiscussion: |- | ||
| Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content. |
||
| Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and sensitive data may be compromised. | ||
|
|
||
| {{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. | ||
|
|
||
| FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. | ||
| FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets organizational requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. | ||
|
|
||
| checktext: |- | ||
| Verify that the pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command: | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,6 @@ title: 'OpenSC Smart Card Drivers' | |
|
|
||
| description: |- | ||
| Choose the Smart Card Driver in use by your organization. | ||
| <br />For DoD, choose the <tt>cac</tt> driver. | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is some helpful text, propose to keep. |
||
| <br />If your driver is not listed and you don't want to use the | ||
| <tt>default</tt> driver, use the <tt>other</tt> option and | ||
| manually specify your driver. | ||
|
|
@@ -46,7 +45,7 @@ options: | |
| npa: npa | ||
| oberthur: oberthur | ||
| openpgp: openpgp | ||
| other: | ||
| other: | ||
| PIV-II: PIV-II | ||
| rutoken_ecp: rutoken_ecp | ||
| rutoken: rutoken | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,7 @@ srg_requirement: |- | |
| A {{{ full_name }}} firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | ||
|
|
||
| vuldiscussion: |- | ||
| Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content. |
||
| Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of sensitive data. | ||
|
|
||
| {{{ full_name }}} incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,7 @@ srg_requirement: |- | |
| vuldiscussion: |- | ||
| Without cryptographic integrity protections, information can be altered by unauthorized users without detection. | ||
|
|
||
| Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The STIG policy content, should keep the DOD wording as this is a mirror of the upstream STIG content. |
||
| Remote access (e.g., RDP) is access to nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. | ||
|
|
||
| Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rules with
_stigcan be keep the DoD wording as they specifically for the STIG.