forked from simp/inspec-profile-disa_stig-el7
-
Notifications
You must be signed in to change notification settings - Fork 2
/
inspec.yml
377 lines (326 loc) · 13 KB
/
inspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
name: disa_stig-el7
title: DISA RedHat Enterprise Linux 7 STIG - v1r4
maintainer: SIMP Team
copyright: SIMP Team
copyright_email: [email protected]
license: Apache-2.0
summary: 'The `disa_stig-el7` inspec profile helps scan your system aginst the DISA RHEL7 STIG'
version: 0.2.0
# The following defines the default inputs for the configurable controls used in the RHEL 7 DISA STIG.
inputs:
- name: disable_slow_controls
description: Controls that are known to consistently have long run times can be disabled with this attribute
type: Boolean
value: false
# V-72081
- name: monitor_kernel_log
description: Set this to false if your system availability concern is not documented or there is no monitoring of the kernel log
type: Boolean
value: true
# V-71849
- name: rpm_verify_perms_except
description: List of system files that should be allowed to change from an rpm verify point of view
type: Array
value: []
# V-71855
- name: rpm_verify_integrity_except
description: List of system files that should be allowed to change from an rpm verify point of view
type: Array
value: []
# V-71859
- name: banner_message_enabled
description: Set to 'true' if the login banner message should be enabled
type: String
value: 'true'
# V-72211
- name: log_aggregation_server
description: Set to 'true' if the system is being used as a log aggregation server
type: Boolean
value: false
# V-72047
- name: application_groups
description: Known application groups that are allowed to have world-writeable files or directories
type: Array
value: []
# V-72307
- name: x11_enabled
description: Set to 'true' if X11 is needed on the system.
type: Boolean
value: false
- name: disallowed_accounts
description: Accounts that are not allowed on the system
type: Array
value: [
'games',
'gopher',
'ftp'
]
- name: user_accounts
description: Accounts of known managed users
type: Array
value: []
- name: known_system_accounts
description: System accounts that support approved system activities.
type: Array
value: [
'root',
'bin',
'daemon',
'adm',
'lp',
'sync',
'shutdown',
'halt',
'mail',
'operator',
'nobody',
'systemd-bus-proxy',
]
# V-71859/V-77819
- name: dconf_user
description: User to use to check dconf settings. An empty string means to use whatever user is running inspec currently.
type: String
value: nil
# You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
# By using this IS (which includes any device attached to this IS), you consent to the following conditions:
# - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
# - At any time, the USG may inspect and seize data stored on this IS.
# - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
# - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
# - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
# V-71861
- name: banner_message_text_gui
description: Banner message text for graphical user interface logins.
type: String
value: "You are accessing a U.S. Government (USG) Information System (IS) that is \
provided for USG-authorized use only. By using this IS (which includes any \
device attached to this IS), you consent to the following conditions: -The USG \
routinely intercepts and monitors communications on this IS for purposes \
including, but not limited to, penetration testing, COMSEC monitoring, network \
operations and defense, personnel misconduct (PM), law enforcement (LE), and \
counterintelligence (CI) investigations. -At any time, the USG may inspect and \
seize data stored on this IS. -Communications using, or data stored on, this \
IS are not private, are subject to routine monitoring, interception, and \
search, and may be disclosed or used for any USG-authorized purpose. -This IS \
includes security measures (e.g., authentication and access controls) to \
protect USG interests--not for your personal benefit or privacy. \
-Notwithstanding the above, using this IS does not constitute consent to PM, \
LE or CI investigative searching or monitoring of the content of privileged \
communications, or work product, related to personal representation or \
services by attorneys, psychotherapists, or clergy, and their assistants. Such \
communications and work product are private and confidential. See User \
Agreement for details."
- name: banner_message_text_gui_limited
description: Banner message text for limited-resource graphical user interface logins.
type: String
value: "I've read & consent to terms in IS user agreem't."
# V-71863
- name: banner_message_text_cli
description: Banner message text for command line interface logins.
type: String
value: "You are accessing a U.S. Government (USG) Information System (IS) that is \
provided for USG-authorized use only. By using this IS (which includes any \
device attached to this IS), you consent to the following conditions: -The USG \
routinely intercepts and monitors communications on this IS for purposes \
including, but not limited to, penetration testing, COMSEC monitoring, network \
operations and defense, personnel misconduct (PM), law enforcement (LE), and \
counterintelligence (CI) investigations. -At any time, the USG may inspect and \
seize data stored on this IS. -Communications using, or data stored on, this \
IS are not private, are subject to routine monitoring, interception, and \
search, and may be disclosed or used for any USG-authorized purpose. -This IS \
includes security measures (e.g., authentication and access controls) to \
protect USG interests--not for your personal benefit or privacy. \
-Notwithstanding the above, using this IS does not constitute consent to PM, \
LE or CI investigative searching or monitoring of the content of privileged \
communications, or work product, related to personal representation or \
services by attorneys, psychotherapists, or clergy, and their assistants. Such \
communications and work product are private and confidential. See User \
Agreement for details."
- name: banner_message_text_cli_limited
description: Banner message text for resource-limited command line interface logins.
type: String
value: "I've read & consent to terms in IS user agreem't."
# V-72225
- name: banner_message_text_ral
description: Banner message text for remote access logins.
type: String
value: "You are accessing a U.S. Government (USG) Information System (IS) that is \
provided for USG-authorized use only. By using this IS (which includes any \
device attached to this IS), you consent to the following conditions: -The USG \
routinely intercepts and monitors communications on this IS for purposes \
including, but not limited to, penetration testing, COMSEC monitoring, network \
operations and defense, personnel misconduct (PM), law enforcement (LE), and \
counterintelligence (CI) investigations. -At any time, the USG may inspect and \
seize data stored on this IS. -Communications using, or data stored on, this \
IS are not private, are subject to routine monitoring, interception, and \
search, and may be disclosed or used for any USG-authorized purpose. -This IS \
includes security measures (e.g., authentication and access controls) to \
protect USG interests--not for your personal benefit or privacy. \
-Notwithstanding the above, using this IS does not constitute consent to PM, \
LE or CI investigative searching or monitoring of the content of privileged \
communications, or work product, related to personal representation or \
services by attorneys, psychotherapists, or clergy, and their assistants. Such \
communications and work product are private and confidential. See User \
Agreement for details."
- name: banner_message_text_ral_limited
description: Banner message text for resource-limited remote access logins.
type: String
value: "I've read & consent to terms in IS user agreem't."
# V-71901
- name: lock_delay
description: The scereensaver lock-delay must be less than or equal to the specified value
type: Numeric
value: 5
# V-71911
- name: difok
description: Minimum number of characters that must be different from previous password
type: Numeric
value: 8
# V-71933
- name: min_reuse_generations
description: Number of reuse generations
type: Numeric
value: 5
# V-71935
- name: min_len
description: Number of characters
type: Numeric
value: 15
# V-71941
- name: days_of_inactivity
description: Number of days
type: Numeric
value: 0
# V-71943
- name: unsuccessful_attempts
description: number of unsuccessful attempts
type: Numeric
value: 3
- name: fail_interval
description: Interval of time in which the consecutive failed logon attempts must occur in order for the account to be locked out (time in seconds)
type: Numeric
value: 900
- name: lockout_time
description: Minimum amount of time account must be locked out after failed logins. This attribute should never be set greater than 604800 (time in seconds).
value: 604800
# V-71973
- name: file_integrity_tool
description: Name of tool
type: String
value: 'aide'
- name: file_integrity_tool
description: Interval to run the file integrity tool (monthly, weekly, or daily).
type: String
value: 'weekly'
# V-72223
- name: system_activity_timeout
description: System activity timeout (time in seconds).
type: Numeric
value: 600
# V-72237
- name: client_alive_interval
description: Client alive interval (time in seconds).
type: Numeric
value: 600
# V-71965, V-72417, V-72433
- name: smart_card_status
description: Smart card status (enabled or disabled)
type: String
value: 'enabled'
# V-72051/V-72209
- name: log_pkg_path
description: The path to the logging package
type: String
value: '/etc/rsyslog.conf'
# V-72011, V-72015, V-72017, V-72019, V-72021, V-72023, V-72025
# V-72027, V-72029, V-72031, V-72033, V-72035, V-72037, V-72059
- name: exempt_home_users
description: Users exempt from home directory-based controls in array format
type: Array
value: []
# V-71961
- name: grub_main_cfg
description: Main grub boot config file
type: String
value: '/boot/grub2/grub.cfg'
- name: grub_superuser
description: superusers for grub boot
type: Array
value: ['root']
- name: grub_user_boot_files
description: Grub boot config files
type: Array
value: ['/boot/grub2/user.cfg']
# V-71963
- name: efi_superusers
description: Superusers for efi boot
type: Array
value: ['root']
- name: efi_user_boot_files
description: Efi boot config files
type: Array
value: ['/boot/efi/EFI/redhat/user.cfg']
- name: efi_main_cfg
description: Main efi boot config file
type: String
value: '/boot/efi/EFI/redhat/grub.cfg'
# V-71971
- name: admin_logins
description: System accounts that support approved system activities
type: Array
value: []
# V-73159
- name: max_rety
description: Maximum number of times to prompt user for new password
type: Numeric
value: 3
# V-72417
- name: mfa_pkg_list
description: The list of packages needed for MFA on RHEL
type: Array
value: [
'nss-tools',
'nss-pam-ldapd',
'esc',
'pam_pkcs11',
'pam_krb5',
'opensc',
'pcsc-lite-ccid',
'gdm',
'authconfig',
'authconfig-gtk',
'krb5-libs',
'krb5-workstation',
'krb5-pkinit',
'pcsc-lite',
'pcsc-lite-libs'
]
# V-77819
- name: multifactor_enabled
description: Should dconf have smart card authentication
type: String
value: 'true'
- name: non_interactive_shells
description: These shells do not allow a user to login
type: Array
value: ["/sbin/nologin", "/sbin/halt", "/sbin/shutdown", "/bin/false", "/bin/sync", "/bin/true"]
# V-72059
- name: randomize_va_space
description: Randomize virtual address space kernel parameter
type: Numeric
value: 2
# V-72043
- name: non_removable_media_fs
description: File systems that don't correspond to removable media
type: Array
value: ['xfs', 'ext4', 'swap', 'tmpfs']
# V-72317
- name: approved_tunnels
description: Approved configured tunnels prepended with word 'conn' (e.g., ['conn myTunnel'])
type: Array
value: []
# V-72039
- name: virtual_machine
description: Is the target expected to be a virtual machine
type: Boolean
value: false