Version: Atlas v3.14

RedHat Enterprise Linux 7 Puppet Module (rhel7stig)

ReadMe
Reference
Changelog

Description
Setup - Getting started with rhel7stig
- What rhel7stig affects
- Beginning with rhel7stig
Usage - Configuration options and additional functionality
Limitations - OS compatibility, etc.
Support - Getting module updates

Description

This Puppet module applies security hardening to Red Hat Enterprise Linux (RHEL) 7 as documented in the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG). See the CHANGELOG for the history of the module to include the current supported STIG release.

The module implements each STIG finding as a separate puppet class, enabling them to be enabled or disabled individually. Puppet classes for STIG findings are named after the vulnerability ID, beginning with a lower-case "v" followed by the ID number. All findings are enforced by default but can be disabled in hiera by using the 'exclude' parameter with an array of class names.

Setup

What rhel7stig affects

caution

The STIG checklist addresses MANY system components that can impact operational functionality. It is also highly likely that you are already using Puppet modules to maintain the system configuration. This module attempts to balance strict enforcement of the STIG while avoiding negative operational impacts and potential conflicts with other puppet resources. If you experience resource conflicts or would just prefer to manage some settings with other modules, just disable the classes from this module that are causing the conflict.

Major system components that will be modified:

Packages that are required by the STIG will be installed
Packages forbidden by the STIG will be removed
Kernel parameters and modules will be updated
PAM files will be updated
SSH files will be updated
The system audit configuration will be updated
AIDE will be installed and configured
SELinux will be set to "enforcing" mode with "targeted" policy
Users will be assigned to an SELinux role
FIPS mode will be enabled
If FIPS or SELinux changes require a reboot, the host will be rebooted at the end of the Puppet run

Beginning with rhel7stig

Add the module to an environment and assign it to nodes. It is recommended to target a few non-production systems at first to assess the impact to the systems and identify any conflicts with other puppet resources. When STIG findings are known to cause issues or conflict with existing Puppet content, disable them in hiera. The following hiera example disables a few of the STIG classes that are likely to have an operational impact. See the Reference for a complete list of classes to include descriptions and any optional parameters.

rhel7stig::exclude:
  - v204444  # SELinux role assignments for users
  - v204397  # Multifactor authentication is required for GUI logon
  - v204429  # Require a password to use sudo
  - v204579  # Terminate sessions after 15 minutes of inactivity
  - v204587  # Terminate SSH connections after 10 minutes of inactivity

There are a few classes with required parameters, so the module will fail unless values are supplied. Ensure you set values for these:

# GRUB password hash (create with 'grub2-mkpasswd-pbkdf2') - This value is referenced by v204436, v204438, v204439, v204440
rhel7stig::grub_passwd_hash: grub.pbkdf2.sha512...<TRUNCATED>

# Central audit log server
rhel7stig::v204509::remote_server: '10.10.10.1'

# Central syslog server
rhel7stig::v204574::syslog_host: '10.10.10.1'

# SELinux user mappings are not mandatory, but if no mappings are provided all users (except root)
# will use the default mapping to SELinux 'user_u'
rhel7stig::v204444::admins:
  '%wheel': 'sysadm_u'

Usage

Many of the STIG classes do not attempt to force a configuration change. Instead, they use facts to report on the compliance status. For example, if the '/home' path is not on a separate filesystem it makes no attempt to re-partition the system. Instead the discrepancy is noted with the logged event:

SECURITY WARNING! "/home" should be on a separate file system

Review the puppet output or reports and address the 'SECURITY WARNING' messages as needed by following this general process:

Modify the build/deployment process to create separate file systems as required
Define new or update existing puppet resources for security settings like mount options, DNS, and NTP servers, etc.
Observe results of previous steps against remaining security warnings from later puppet runs
Verify reported security warnings against collected facts and resources defined in the environment, correcting as needed.
Finally, when unable to resolve findings due to operational requirements, disable the class in hiera to quiet the security warnings.

note

Many of the STIG puppet classes require data from custom facts produced by the "kgi-secfacts" module. Ensure this module is assigned to nodes to manage collection of the basic facts that support this STIG. See the Security Facts (secfacts) documentation for details.

Limitations

This module works with RedHat and CentOS 7 only.

Classes

rhel7stig: Red Hat Enterprise Linux 7 STIG :: Version 3, Release: 4 Benchmark Date: 23 Jul 2021
rhel7stig::v204392: File permissions, ownership, and group membership of system files and commands must match the vendor values.
rhel7stig::v204393: Notice and consent banner must be displayed for GUI logon
rhel7stig::v204394: Mandatory DoD message must be used as the banner for GUI logon
rhel7stig::v204395: Notice and consent banner for command line logon
rhel7stig::v204396: Require a GUI session lock
rhel7stig::v204397: Multifactor authentication is required for GUI logon
rhel7stig::v204398: The screensaver must activate after 15 minutes of inactivity
rhel7stig::v204399: Do not permit user override of the idle-delay setting for GUI screensaver delay
rhel7stig::v204400: Do not permit user override of the idle-delay setting for GUI screen lock
rhel7stig::v204402: Lock the screensaver after idle timeout
rhel7stig::v204403: Do not permit user override of the system GUI screen lock
rhel7stig::v204404: Enforce a screen lock for GUI sessions
rhel7stig::v204405: The system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.
rhel7stig::v204406: The system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
rhel7stig::v204407: Password policy must require at lease one upper-case character
rhel7stig::v204408: Password policy must require at lease one lower-case character
rhel7stig::v204409: Password policy must require at lease one numeric character
rhel7stig::v204410: Password policy must require at lease one special character
rhel7stig::v204411: Password policy must require at least 8 characters to be changed during password reset
rhel7stig::v204412: Password policy must require at least 4 character classes to be changed during password reset
rhel7stig::v204413: Password policy must limit passwords to a maximum of 3 repeated characters.
rhel7stig::v204414: Password policy must limit passwords to a maximum of 4 repeated characters of the same class
rhel7stig::v204415: The system must be configured so that the PAM system service only stores encrypted representations of passwords.
rhel7stig::v204416: Store passwords in encrypted form using the shadow file
rhel7stig::v204417: Use a strong method for hashing password
rhel7stig::v204418: Disable expired accounts
rhel7stig::v204419: The system must must restrict passwords to a 24 hours/1 day minimum lifetime.
rhel7stig::v204420: Disable expired accounts
rhel7stig::v204421: The system must must restrict passwords to a 60-day maximum lifetime.
rhel7stig::v204422: The system must prohibit reuse of passwords for 5 generations
rhel7stig::v204423: Password policy must require at least 15 characters
rhel7stig::v204424: The system must not have accounts configured with blank or null passwords.
rhel7stig::v204425: Do not allow PermitEmptyPasswords with SSH
rhel7stig::v204426: Disable expired accounts
rhel7stig::v204427: The system must lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
rhel7stig::v204428: The system must lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
rhel7stig::v204429: Require a password to use sudo
rhel7stig::v204430: Require authentication when using sudo
rhel7stig::v204431: Minimum 4 second delay after a failed login attempt
rhel7stig::v204432: Do not allow automatic logon to the system through the GUI.
rhel7stig::v204433: Do not allow unrestricted logon to the system.
rhel7stig::v204434: Do not allow PermitUserEnvironment with SSH
rhel7stig::v204435: Do not allow HostbasedAuthentication with SSH
rhel7stig::v204436: BIOS systems require a GRUB password (RHEL 7.1 and earlier)
rhel7stig::v204437: The system must require authentication upon booting into single-user and maintenance modes.
rhel7stig::v204438: BIOS systems require a GRUB password (RHEL 7.2 and later)
rhel7stig::v204439: UEFI systems require a GRUB password (RHEL 7.2 and older)
rhel7stig::v204440: UEFI systems require a GRUB password (RHEL 7.3 and later)
rhel7stig::v204441: The system must use multifactor authentication
rhel7stig::v204442: The rsh-server package must not be installed
rhel7stig::v204443: The ypserv package must not be installed
rhel7stig::v204444: The system must prevent non-privileged users from executing privileged functions.
rhel7stig::v204445: Verify file integrity at least weekly
rhel7stig::v204446: Notify the administrator of changes to the baseline
rhel7stig::v204447: Require gpgcheck for installing yum packages
rhel7stig::v204448: Require localpkg_gpgcheck for installing yum packages
rhel7stig::v204449: Disable USB mass storage
rhel7stig::v204450: Disable DCCP kernel module
rhel7stig::v204451: Disable the autofs service unless required
rhel7stig::v204452: Old package versions must be removed
rhel7stig::v204455: Disable the x86 Ctrl-Alt-Delete key sequence from the command line
rhel7stig::v204456: Disable the x86 Ctrl-Alt-Delete key sequence from the GUI
rhel7stig::v204457: Set the default UMASK
rhel7stig::v204458: The system must run a supported operating system release.
rhel7stig::v204459: The system security patches and updates must be installed and up to date.
rhel7stig::v204460: The system must not have unnecessary accounts.
rhel7stig::v204461: All Group Identifiers (GIDs) referenced in /etc/passwd file must be defined in the /etc/group file.
rhel7stig::v204462: There must be only one user with UID 0
rhel7stig::v204463: All files and directories must have a valid owner.
rhel7stig::v204464: All files and directories must have a valid group owner.
rhel7stig::v204466: All local interactive user accounts should have an assigned home directory
rhel7stig::v204467: The system must have all local interactive users configured with a home directory in the /etc/passwd file.
rhel7stig::v204468: The system must be configured so that all local interactive user home directories have mode 0750 or less permissive.
rhel7stig::v204469: The system must be configured so that all local interactive user home directories owned by their respective users.
rhel7stig::v204470: Home directories must be group-owned by the home directory owners primary group.
rhel7stig::v204471: All files and directories contained in local interactive user home directories must be owned by the owner of the home directory.
rhel7stig::v204472: Contents of user home directories must be group-owned by a group where the home directory owner is a member
rhel7stig::v204473: All contents of local interactive user home directories must have a mode of 0750 or less permissive.
rhel7stig::v204474: All local initialization files for interactive users must be owned by the home directory user or root.
rhel7stig::v204475: All local initialization files for interactive users must be group-owned by the users primary group or root.
rhel7stig::v204476: All local initialization files have mode 0740 or less permissive.
rhel7stig::v204477: All local initialization files executable search paths resolve only to the users home directory.
rhel7stig::v204478: All local initialization files do not execute world-writable programs.
rhel7stig::v204479: All system device files must be correctly labeled to prevent unauthorized modification.
rhel7stig::v204480: File systems containing home directories must prevent files with the setuid and setgid bit set from being executed.
rhel7stig::v204481: Prevent setuid and setgid files from being executed via removable media.
rhel7stig::v204482: Prevent setuid files from being executed via Network File System (NFS).
rhel7stig::v204483: The system must prevent binary files from being executed on file systems that are being imported via NFS.
rhel7stig::v204486: The system must mount /dev/shm with secure options
rhel7stig::v204487: all world-writable directories are group-owned by root, sys, bin, or an application group.
rhel7stig::v204488: The system must set the umask value to 077 for all local interactive user accounts.
rhel7stig::v204489: The system must have cron logging implemented.
rhel7stig::v204490: The '/etc/cron.allow' file must be owned by root when present
rhel7stig::v204491: The '/etc/cron.allow' file must be group owned by root when present
rhel7stig::v204492: Disable kernerl core dumps
rhel7stig::v204493: Home directories must be located on a separate file system
rhel7stig::v204494: Home directories must be located on a separate file system
rhel7stig::v204495: Audit data must be located on a separate file system
rhel7stig::v204496: The /tmp directory must be located on a separate file system
rhel7stig::v204498: The system must use a file integrity tool to verify ACLs.
rhel7stig::v204499: The system must use a file integrity tool to verify extended attributes.
rhel7stig::v204500: The system must use FIPS 140-2 cryptographic hashes to validate files and directories.
rhel7stig::v204501: The system must not allow removable media to be used as the boot loader unless approved.
rhel7stig::v204502: The system must not have the telnet-server package installed
rhel7stig::v204503: The system must have auditing enabled
rhel7stig::v204504: The system must shut down on audit failure
rhel7stig::v204506: Audit logs must be sent to a different system or storage
rhel7stig::v204507: The system should take appropriate action when the remote logging buffer is full.
rhel7stig::v204508: Off-loaded audit logs must be labeled before sending them to the central log server.
rhel7stig::v204509: Audit records must be off-loaded to a different system or media
rhel7stig::v204510: The system must encrypt the transfer of off-loaded audit records
rhel7stig::v204511: The audit system must take appropriate action when the audit storage volume is full.
rhel7stig::v204512: The system must take appropriate action when there is an error off-loading audit records
rhel7stig::v204513: The system must notify the administrator when audit storage reached 75% of capacity
rhel7stig::v204514: The system must notify the administrator via email when the audit storage capacity is reached
rhel7stig::v204515: The system must notify the administrator and ISSO when audit storage capacity is reached
rhel7stig::v204516: The system must audit all executions of privileged functions.
rhel7stig::v204517: The system must audit all uses of the chown syscall.
rhel7stig::v204518: The system must audit all uses of the fchown syscall.
rhel7stig::v204519: The system must audit all uses of the lchown syscall.
rhel7stig::v204520: The system must audit all uses of the fchownat syscall.
rhel7stig::v204521: The system must audit all uses of the chmod syscall.
rhel7stig::v204522: The system must audit all uses of the fchmod syscall.
rhel7stig::v204523: The system must audit all uses of the fchmodat syscall.
rhel7stig::v204524: The system must audit all uses of the setxattr syscall.
rhel7stig::v204525: The system must audit all uses of the fsetxattr syscall.
rhel7stig::v204526: The system must audit all uses of the lsetxattr syscall.
rhel7stig::v204527: The system must audit all uses of the removexattr syscall.
rhel7stig::v204528: The system must audit all uses of the fremovexattr syscall.
rhel7stig::v204529: The system must audit all uses of the lremovexattr syscall.
rhel7stig::v204530: The system must audit all uses of the creat syscall.
rhel7stig::v204531: The system must audit all uses of the open syscall.
rhel7stig::v204532: The system must audit all uses of the openat syscall.
rhel7stig::v204533: The system must audit all uses of the open_by_handle_at syscall.
rhel7stig::v204534: The system must audit all uses of the truncate syscall.
rhel7stig::v204535: The system must audit all uses of the ftruncate syscall.
rhel7stig::v204536: The system must audit all uses of the semanage command.
rhel7stig::v204537: The system must audit all uses of the setsebool command.
rhel7stig::v204538: The system must audit all uses of the chcon command.
rhel7stig::v204539: The system must audit all uses of the setfiles command.
rhel7stig::v204540: The system must audit all unsuccessful account access events.
rhel7stig::v204541: The system must audit all successful account access events.
rhel7stig::v204542: The system must audit all uses of the passwd command.
rhel7stig::v204543: The system must audit all uses of the unix_chkpwd command.
rhel7stig::v204544: The system must audit all uses of the gpasswd command.
rhel7stig::v204545: The system must audit all uses of the chage command.
rhel7stig::v204546: The system must audit all uses of the userhelper command.
rhel7stig::v204547: The system must audit all uses of the su command.
rhel7stig::v204548: The system must audit all uses of the sudo command.
rhel7stig::v204549: The system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
rhel7stig::v204550: The system must audit all uses of the newgrp command.
rhel7stig::v204551: The system must audit all uses of the chsh command.
rhel7stig::v204552: The system must audit all uses of the mount command and syscall.
rhel7stig::v204553: The system must audit all uses of the umount command.
rhel7stig::v204554: The system must audit all uses of the postdrop command.
rhel7stig::v204555: The system must audit all executions of postqueue command.
rhel7stig::v204556: The system must audit all executions of ssh-keysign command.
rhel7stig::v204557: The system must audit all executions of crontab command.
rhel7stig::v204558: The system must audit all executions of pam_timestamp_check command.
rhel7stig::v204559: The system must audit all executions of the create_module syscall.
rhel7stig::v204560: The system must audit all executions of the init_module syscall.
rhel7stig::v204561: The system must audit all executions of the finit_module syscall.
rhel7stig::v204562: The system must audit all executions of the delete_module syscall.
rhel7stig::v204563: The system must audit all executions of the kmod command.
rhel7stig::v204564: The system must audit all changes to /etc/passwd.
rhel7stig::v204565: The system must audit all changes to /etc/group
rhel7stig::v204566: The system must audit all changes to /etc/gshadow
rhel7stig::v204567: The system must audit all changes to /etc/shadow
rhel7stig::v204568: The system must audit all changes to /etc/opasswd
rhel7stig::v204569: The system must audit all uses of the rename syscall.
rhel7stig::v204570: The system must audit all uses of the renameat syscall.
rhel7stig::v204571: The system must audit all uses of the rmdir syscall.
rhel7stig::v204572: The system must audit all uses of the unlink syscall.
rhel7stig::v204573: The system must audit all uses of the unlinkat syscall.
rhel7stig::v204574: The system must send rsyslog output to a log aggregation server.
rhel7stig::v204575: The system must not accept log messages from other servers unless the server is being used for log aggregation.
rhel7stig::v204576: The system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
rhel7stig::v204577: The system must limit all access to services except those documented IAW organizational requirements.
rhel7stig::v204578: The system must use use a FIPS 140-2 approved cryptographic algorithm for SSH communications.
rhel7stig::v204579: The system must terminate sessions after 15 minutes of inactivity
rhel7stig::v204580: The system must display the DoD logon banner for remote access logon prompts
rhel7stig::v204581: The system must implement cryptography to protect the integrity of LDAP authentication communications.
rhel7stig::v204582: The system must implement cryptography to protect the integrity of LDAP communications.
rhel7stig::v204583: The system must implement cryptography to protect the integrity of LDAP communications.
rhel7stig::v204584: The system must implement virtual address space randomization.
rhel7stig::v204585: The system must have SSH installed.
rhel7stig::v204586: The system must have SSH loaded and active.
rhel7stig::v204587: The system must terminate SSH connections at the end of the session or after 10 minutes of inactivity.
rhel7stig::v204588: The system must not allow RSA rhosts authentication to the SSH service.
rhel7stig::v204589: The system must terminate SSH connections after a period of inactivity.
rhel7stig::v204590: The system must allow SSH authentication using rhosts.
rhel7stig::v204591: The system must display the date and time of the last successful account logon upon an SSH logon.
rhel7stig::v204592: The system must not permit direct logons to the root account using remote access via SSH.
rhel7stig::v204593: The system must not not allow authentication using known hosts authentication to the SSH daemon.
rhel7stig::v204594: The system must be configured so that the SSH daemon will only use the SSHv2 protocol.
rhel7stig::v204595: The SSH daemon must only use (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
rhel7stig::v204596: The SSH public host key files have mode 0644 or less permissive.
rhel7stig::v204597: The SSH private host key files have mode 0640 or less permissive.
rhel7stig::v204598: The SSH daemon does not permit GSSAPI authentication unless needed.
rhel7stig::v204599: The SSH daemon does not permit Kerberos authentication unless needed.
rhel7stig::v204600: The SSH daemon must perform strict mode checking of home directory configuration files.
rhel7stig::v204601: The SSH daemon must use privilege separation.
rhel7stig::v204602: The SSH daemon must not allow compression or only allows compression after successful authentication.
rhel7stig::v204603: The system must synchronize the clock with an authoritative source.
rhel7stig::v204604: The system must enable an application firewall.
rhel7stig::v204605: The system must display the date and time of the last successful account logon upon logon.
rhel7stig::v204606: The system must not not contain .shosts files.
rhel7stig::v204607: The system must not not contain shosts.equiv files.
rhel7stig::v204608: Systems using DNS resolution require at least two name servers.
rhel7stig::v204609: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
rhel7stig::v204610: The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
rhel7stig::v204611: The system must use a reverse-path filter for IPv4 network traffic when possible by default.
rhel7stig::v204612: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
rhel7stig::v204613: The system must not respond to IPv4 ICMP echoes sent to a broadcast address.
rhel7stig::v204614: The system must prevent IPv4 ICMP redirect messages from being accepted.
rhel7stig::v204615: The system must ignore IPv4 ICMP redirect messages.
rhel7stig::v204616: The system must not allow interfaces to perform IPv4 ICMP redirects by default.
rhel7stig::v204617: The system must not send IPv4 ICMP redirects.
rhel7stig::v204618: The system network interfaces must not be in promiscuous mode.
rhel7stig::v204619: The system must prevent unrestricted mail relaying.
rhel7stig::v204620: The system must not have a File Transfer Protocol (FTP) server package installed unless needed.
rhel7stig::v204621: The system must not have the Trivial File Transfer Protocol (TFTP) server package installed.
rhel7stig::v204622: The system must be configured so that remote X connections for interactive users are encrypted.
rhel7stig::v204623: If the TFTP server is required, the TFTP daemon must be configured to operate in secure mode.
rhel7stig::v204624: The system must not have a graphical display manager installed unless approved.
rhel7stig::v204625: The system must not not be performing packet forwarding unless the system is a router.
rhel7stig::v204626: The system must use RPCSEC_GSS with NFS.
rhel7stig::v204627: The system must not use the default SNMP community strings.
rhel7stig::v204628: The system must grant or deny system access to specific hosts and services.
rhel7stig::v204629: The system must not have unauthorized IP tunnels configured.
rhel7stig::v204630: The system must not forward IPv6 source-routed packets.
rhel7stig::v204631: The system must have the required packages for multifactor authentication installed.
rhel7stig::v204632: The system must implement multifactor authentication for access to privileged accounts via PAM.
rhel7stig::v204633: The system must implement certificate status checking for PKI authentication.
rhel7stig::v204634: The system must be configured so that all wireless network adapters are disabled.
rhel7stig::v214799: The cryptographic hash of system files and commands must match vendor values.
rhel7stig::v214800: Install and enable the latest McAfee ENSLTP package.
rhel7stig::v214801: The system must use a virus scan program.
rhel7stig::v214937: The system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
rhel7stig::v219059: The system must disable the graphical user interface automounter unless required.
rhel7stig::v228563: all world-writable directories are owned by root, sys, bin, or an application group.
rhel7stig::v228564: The system must protect audit information from unauthorized read, modification, or deletion.
rhel7stig::v233307: The SSH daemon must prevent remote hosts from connecting to the proxy display.
rhel7stig::v237633: Restrict privilege elevation to authorized personnel
rhel7stig::v237634: 'sudo' privilege escalation should require the user's own password
rhel7stig::v237635: Require re-authentication when using the "sudo" command.
rhel7stig::v244557: RHEL 7.2 and later using BIOS require a unique name for the grub superusers account
rhel7stig::v244558: RHEL 7.2 and later using UEFI require a unique name for the grub superusers account
rhel7stig::v250312: Operating system must confine SELinux users to roles that conform to least privilege
rhel7stig::v250313: Operating system must not allow privileged accounts to utilize SSH
rhel7stig::v250314: Operating system must elevate the SELinux context when an administrator calls the sudo command
rhel7stig::v251702: Operating system must not have accounts configured with blank or null passwords
rhel7stig::v251703: Operating system must specify the default "include" directory for the /etc/sudoers file
rhel7stig::v251704: Operating system must not be configured to bypass password requirements for privilege escalation
rhel7stig::v251705: Operating system must use a file integrity tool to verify correct operation of all security functions

Defined types

rhel7stig::audisp_remote_setting: Manage settings in '/etc/audisp/audisp-remote.conf'
rhel7stig::audispd_setting: Manage settings in '/etc/audisp/audispd.conf'
rhel7stig::audit_rule: Defined type for adding RedHat STIG audit rules
rhel7stig::auditd_setting: Manage individual settings in '/etc/audit/auditd.conf'
rhel7stig::dconf_lock: Manage system wide gnome behavior through dconf setting locks
rhel7stig::dconf_setting: Manage system wide gnome behavior through dconf keyfile settings
rhel7stig::resolv_conf: A defined type to manage DNS client configuration in '/etc/resolv.conf'
rhel7stig::sshd_rule: Defined type for managing RedHat STIG sshd configuration
rhel7stig::sysctl_rule: Defined type for managing RedHat STIG sysctl configuration

Classes

`rhel7stig`

Red Hat Enterprise Linux 7 STIG :: Version 3, Release: 4 Benchmark Date: 23 Jul 2021

Examples

Assigning the module will enable all controls by default.

include rhel7stigs

Disable vulnerability IDs from hiera

rhel7stig::exclude:
  - v12345
  - v23456

Parameters

The following parameters are available in the rhel7stig class:

vul_id
exclude
enforce

`vul_id`

Data type: Array

The array of STIG puppet classes to be applied. This list is included with the module hiera data and should not be changed.

`exclude`

Data type: Array

An optional array of STIG puppet classes to exclude.

Default value: []

`enforce`

Data type: Array

STIG puppet classes that are excluded can be overriden and enforced here to add targeting flexibility.

Default value: []

`rhel7stig::v204392`

File permissions, ownership, and group membership of system files and commands must match the vendor values.

Note Vul ID: V-204392 Rule ID: SV-204392r505924_rule STIG ID: RHEL-07-010010 Severity: CAT I Classification: Unclass Legacy IDs: V-71849; SV-86473

`rhel7stig::v204393`

Notice and consent banner must be displayed for GUI logon

Note Vul ID: V-204393 Rule ID: SV-204393r505924_rule STIG ID: RHEL-07-010030 Severity: CAT II Classification: Unclass Legacy IDs: V-71859; SV-86483

`rhel7stig::v204394`

Mandatory DoD message must be used as the banner for GUI logon

Note Vul ID: V-204394 Rule ID: SV-204394r505924_rule STIG ID: RHEL-07-010040 Severity: CAT II Classification: Unclass Legacy IDs: V-71861; SV-86485

Parameters

The following parameters are available in the rhel7stig::v204394 class:

banner

`banner`

Data type: String

Default value: lookup('rhel7stig::gnome_logon_banner')

`rhel7stig::v204395`

Notice and consent banner for command line logon

Note Vul ID: V-204395 Rule ID: SV-204395r505924_rule STIG ID: RHEL-07-010050 Severity: CAT II Classification: Unclass Legacy IDs: V-71863; SV-86487

`rhel7stig::v204396`

Require a GUI session lock

Note Vul ID: V-204396 Rule ID: SV-204396r505924_rule STIG ID: RHEL-07-010060 Severity: CAT II Classification: Unclass Legacy IDs: V-71891; SV-86515

`rhel7stig::v204397`

Multifactor authentication is required for GUI logon

Note Vul ID: V-204397 Rule ID: SV-204397r505924_rule STIG ID: RHEL-07-010061 Severity: CAT II Classification: Unclass Legacy IDs: V-77819; SV-92515

`rhel7stig::v204398`

The screensaver must activate after 15 minutes of inactivity

Note Vul ID: V-204398 Rule ID: SV-204398r505924_rule STIG ID: RHEL-07-010070 Severity: CAT II Classification: Unclass Legacy IDs: V-71893; SV-86517

Parameters

The following parameters are available in the rhel7stig::v204398 class:

delay

`delay`

Data type: Integer[1, 900]

Seconds of idle time until the screensaver will activate (900)

Default value: 900

`rhel7stig::v204399`

Do not permit user override of the idle-delay setting for GUI screensaver delay

Note Vul ID: V-204399 Rule ID: SV-204399r505924_rule STIG ID: RHEL-07-010081 Severity: CAT II Classification: Unclass Legacy IDs: V-73155; SV-87807

`rhel7stig::v204400`

Do not permit user override of the idle-delay setting for GUI screen lock

Note Vul ID: V-204400 Rule ID: SV-204400r505924_rule STIG ID: RHEL-07-010082 Severity: CAT II Classification: Unclass Legacy IDs: V-73157; SV-87809

`rhel7stig::v204402`

Lock the screensaver after idle timeout

Note Vul ID: V-204402 Rule ID: SV-204402r505924_rule STIG ID: RHEL-07-010100 Severity: CAT II Classification: Unclass Legacy IDs: V-71899; SV-86523

`rhel7stig::v204403`

Do not permit user override of the system GUI screen lock

Note Vul ID: V-204403 Rule ID: SV-204403r505924_rule STIG ID: RHEL-07-010101 Severity: CAT II Classification: Unclass Legacy IDs: V-78997; SV-93703

`rhel7stig::v204404`

Enforce a screen lock for GUI sessions

Note Vul ID: V-204404 Rule ID: SV-204404r505924_rule STIG ID: RHEL-07-010110 Severity: CAT II Classification: Unclass Legacy IDs: V-71901; SV-86525

Examples

include rhel7stig::v204404

Parameters

The following parameters are available in the rhel7stig::v204404 class:

delay

`delay`

Data type: Integer[1, 5]

Minutes until the GNOME screen lock will activate (5)

Default value: 5

`rhel7stig::v204405`

The system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.

Note Vul ID: V-204405 Rule ID: SV-204405r505924_rule STIG ID: RHEL-07-010118 Severity: CAT II Classification: Unclass Legacy IDs: V-81003; SV-95715

`rhel7stig::v204406`

The system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.

Note Vul ID: V-204406 Rule ID: SV-204406r505924_rule STIG ID: RHEL-07-010119 Severity: CAT II Classification: Unclass Legacy IDs: V-73159; SV-87811

`rhel7stig::v204407`

Password policy must require at lease one upper-case character

Note Vul ID: V-204407 Rule ID: SV-204407r505924_rule STIG ID: RHEL-07-010120 Severity: CAT II Classification: Unclass Legacy IDs: V-71903; SV-86527

`rhel7stig::v204408`

Password policy must require at lease one lower-case character

Note Vul ID: V-204408 Rule ID: SV-204408r505924_rule STIG ID: RHEL-07-010130 Severity: CAT II Classification: Unclass Legacy IDs: V-71905; SV-86529

`rhel7stig::v204409`

Password policy must require at lease one numeric character

Note Vul ID: V-204409 Rule ID: SV-204409r505924_rule STIG ID: RHEL-07-010140 Severity: CAT II Classification: Unclass Legacy IDs: V-71907; SV-86531

`rhel7stig::v204410`

Password policy must require at lease one special character

Note Vul ID: V-204410 Rule ID: SV-204410r505924_rule STIG ID: RHEL-07-010150 Severity: CAT II Classification: Unclass Legacy IDs: V-71909; SV-86533

`rhel7stig::v204411`

Password policy must require at least 8 characters to be changed during password reset

Note Vul ID: V-204411 Rule ID: SV-204411r505924_rule STIG ID: RHEL-07-010160 Severity: CAT II Classification: Unclass Legacy IDs: V-71911; SV-86535

Parameters

The following parameters are available in the rhel7stig::v204411 class:

difok

`difok`

Data type: Integer[8]

Minimum number of characters that must be changed when setting a password

Default value: 8

`rhel7stig::v204412`

Password policy must require at least 4 character classes to be changed during password reset

Note Vul ID: V-204412 Rule ID: SV-204412r505924_rule STIG ID: RHEL-07-010170 Severity: CAT II Classification: Unclass Legacy IDs: V-71913; SV-86537

Parameters

The following parameters are available in the rhel7stig::v204412 class:

minclass

`minclass`

Data type: Integer[4]

Minimum number of characters classes that must be changed when setting a password

Default value: 4

`rhel7stig::v204413`

Password policy must limit passwords to a maximum of 3 repeated characters.

Note Vul ID: V-204413 Rule ID: SV-204413r505924_rule STIG ID: RHEL-07-010180 Severity: CAT II Classification: Unclass Legacy IDs: V-71915; SV-86539

Parameters

The following parameters are available in the rhel7stig::v204413 class:

maxrepeat

`maxrepeat`

Data type: Integer[3]

Maximum number of repeating characters permitted when setting a password

Default value: 3

`rhel7stig::v204414`

Password policy must limit passwords to a maximum of 4 repeated characters of the same class

Note Vul ID: V-204414 Rule ID: SV-204414r505924_rule STIG ID: RHEL-07-010190 Severity: CAT II Classification: Unclass Legacy IDs: V-71917; SV-86541

Parameters

The following parameters are available in the rhel7stig::v204414 class:

maxclassrepeat

`maxclassrepeat`

Data type: Integer[4]

Maximum number of repeating characters permitted when setting a password.04414

Default value: 4

`rhel7stig::v204415`

The system must be configured so that the PAM system service only stores encrypted representations of passwords.

Note Vul ID: V-204415 Rule ID: SV-204415r505924_rule STIG ID: RHEL-07-010200 Severity: CAT II Classification: Unclass Legacy IDs: V-71919; SV-86543

`rhel7stig::v204416`

Store passwords in encrypted form using the shadow file

Note Vul ID: V-204416 Rule ID: SV-204416r505924_rule STIG ID: RHEL-07-010210 Severity: CAT II Classification: Unclass Legacy IDs: V-71921; SV-86545

`rhel7stig::v204417`

Use a strong method for hashing password

Note Vul ID: V-204417 Rule ID: SV-204417r505924_rule STIG ID: RHEL-07-010220 Severity: CAT II Classification: Unclass Legacy IDs: V-71923; SV-86547

`rhel7stig::v204418`

Disable expired accounts

Note Vul ID: V-204418 Rule ID: SV-204418r505924_rule STIG ID: RHEL-07-010230 Severity: CAT II Classification: Unclass Legacy IDs: V-71925; SV-86549

Parameters

The following parameters are available in the rhel7stig::v204418 class:

pass_min_days

`pass_min_days`

Data type: Integer[1]

Maximum password age before expiration

Default value: 1

`rhel7stig::v204419`

The system must must restrict passwords to a 24 hours/1 day minimum lifetime.

Note Vul ID: V-204419 Rule ID: SV-204419r505924_rule STIG ID: RHEL-07-010240 Severity: CAT II Classification: Unclass Legacy IDs: V-71927; SV-86551

`rhel7stig::v204420`

Disable expired accounts

Note Vul ID: V-204420 Rule ID: SV-204420r505924_rule STIG ID: RHEL-07-010250 Severity: CAT II Classification: Unclass Legacy IDs: V-71929; SV-86553

Parameters

The following parameters are available in the rhel7stig::v204420 class:

pass_max_days

`pass_max_days`

Data type: Integer[1, 60]

Maximum password age before expiration

Default value: 60

`rhel7stig::v204421`

The system must must restrict passwords to a 60-day maximum lifetime.

Note Vul ID: V-204421 Rule ID: SV-204421r505924_rule STIG ID: RHEL-07-010260 Severity: CAT II Classification: Unclass Legacy IDs: V-71931; SV-86555

`rhel7stig::v204422`

The system must prohibit reuse of passwords for 5 generations

Note Vul ID: V-204422 Rule ID: SV-204422r505924_rule STIG ID: RHEL-07-010270 Severity: CAT II Classification: Unclass Legacy IDs: V-71933; SV-86557

`rhel7stig::v204423`

Password policy must require at least 15 characters

Note Vul ID: V-204423 Rule ID: SV-204423r505924_rule STIG ID: RHEL-07-010280 Severity: CAT II Classification: Unclass Legacy IDs: V-71935; SV-86559

Parameters

The following parameters are available in the rhel7stig::v204423 class:

minlen

`minlen`

Data type: Integer[15]

Minimum number of required characters in a password.

Default value: 15

`rhel7stig::v204424`

The system must not have accounts configured with blank or null passwords.

Note Vul ID: V-204424 Rule ID: SV-204424r505924_rule STIG ID: RHEL-07-010290 Severity: CAT I Classification: Unclass Legacy IDs: V-71937; SV-86561

`rhel7stig::v204425`

Do not allow PermitEmptyPasswords with SSH

Note Vul ID: V-204425 Rule ID: SV-204425r505924_rule STIG ID: RHEL-07-010300 Severity: CAT I Classification: Unclass Legacy IDs: V-71939; SV-86563

`rhel7stig::v204426`

Disable expired accounts

Note Vul ID: V-204426 Rule ID: SV-204426r505924_rule STIG ID: RHEL-07-010310 Severity: CAT II Classification: Unclass Legacy IDs: V-71941; SV-86565

`rhel7stig::v204427`

The system must lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.

Note Vul ID: V-204427 Rule ID: SV-204427r505924_rule STIG ID: RHEL-07-010320 Severity: CAT II Classification: Unclass Legacy IDs: V-71943; SV-86567

`rhel7stig::v204428`

The system must lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.

Note Vul ID: V-204428 Rule ID: SV-204428r505924_rule STIG ID: RHEL-07-010330 Severity: CAT II Classification: Unclass Legacy IDs: V-71945; SV-86569

`rhel7stig::v204429`

Require a password to use sudo

Note Vul ID: V-204429 Rule ID: SV-204429r505924_rule STIG ID: RHEL-07-010340 Severity: CAT II Classification: Unclass Legacy IDs: V-71947; SV-86571

`rhel7stig::v204430`

================================================================================================================= Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Version 3, Release: 1 Benchmark Date: 23 Oct 2020 Vul ID: V-204430 Rule ID: SV-204430r505924_rule STIG ID: RHEL-07-010350 Severity: CAT II Classification: Unclass Legacy IDs: V-71949; SV-86573

Rule Title: The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate

for privilege escalation.

Examples

include rhel7stig::v204430

`rhel7stig::v204431`

Minimum 4 second delay after a failed login attempt

Note Vul ID: V-204431 Rule ID: SV-204431r505924_rule STIG ID: RHEL-07-010430 Severity: CAT II Classification: Unclass Legacy IDs: V-71951; SV-86575

Parameters

The following parameters are available in the rhel7stig::v204431 class:

delay

`delay`

Data type: Integer[4]

Number of seconds to wait after a failed login

Default value: 4

`rhel7stig::v204432`

Do not allow automatic logon to the system through the GUI.

Note Vul ID: V-204432 Rule ID: SV-204432r505924_rule STIG ID: RHEL-07-010440 Severity: CAT I Classification: Unclass Legacy IDs: V-71953; SV-86577

`rhel7stig::v204433`

Do not allow unrestricted logon to the system.

Note Vul ID: V-204433 Rule ID: SV-204433r505924_rule STIG ID: RHEL-07-010450 Severity: CAT I Classification: Unclass Legacy IDs: V-71955; SV-86579

`rhel7stig::v204434`

Do not allow PermitUserEnvironment with SSH

Note Vul ID: V-204434 Rule ID: SV-204434r505924_rule STIG ID: RHEL-07-010460 Severity: CAT II Classification: Unclass Legacy IDs: V-71957; SV-86581

`rhel7stig::v204435`

Do not allow HostbasedAuthentication with SSH

Note Vul ID: V-204435 Rule ID: SV-204435r505924_rule STIG ID: RHEL-07-010470 Severity: CAT II Classification: Unclass Legacy IDs: V-71959; SV-86583

`rhel7stig::v204436`

================================================================================================================= Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Version 3, Release: 1 Benchmark Date: 23 Oct 2020 Vul ID: V-204436 Rule ID: SV-204436r505924_rule STIG ID: RHEL-07-010480 Severity: CAT I Classification: Unclass Legacy IDs: V-71961; SV-86585

Rule Title: Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS)

must require authentication upon booting into single-user and maintenance modes.

Examples

include rhel7stig::v204436

Parameters

The following parameters are available in the rhel7stig::v204436 class:

grub_passwd_hash

`grub_passwd_hash`

Data type: String

The GRUB password hash. Created with 'grub2-mkpasswd-pbkdf2' command.

Default value: lookup('rhel7stig::grub_passwd_hash', String, 'first')

`rhel7stig::v204437`

================================================================================================================= Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Version 3, Release: 1 Benchmark Date: 23 Oct 2020 Vul ID: V-204437 Rule ID: SV-204437r505924_rule STIG ID: RHEL-07-010481 Severity: CAT II Classification: Unclass Legacy IDs: V-77823; SV-92519

Rule Title: The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user

and maintenance modes.

Examples

include rhel7stig::v204437

`rhel7stig::v204438`

BIOS systems require a GRUB password (RHEL 7.2 and later)

Note Vul ID: V-204438 Rule ID: SV-204438r744095_rule STIG ID: RHEL-07-010482 Severity: CAT I Classification: Unclass Legacy IDs: V-81005; SV-95717

Examples

include rhel7stig::v204438

Parameters

The following parameters are available in the rhel7stig::v204438 class:

grub_passwd_hash

`grub_passwd_hash`

Data type: String

The GRUB password hash. Created with 'grub2-mkpasswd-pbkdf2' command.

Default value: lookup('rhel7stig::grub_passwd_hash', String, 'first')

`rhel7stig::v204439`

================================================================================================================= Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Version 3, Release: 1 Benchmark Date: 23 Oct 2020 Vul ID: V-204439 Rule ID: SV-204439r505924_rule STIG ID: RHEL-07-010490 Severity: CAT I Classification: Unclass Legacy IDs: V-71963; SV-86587

Rule Title: Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface

(UEFI) must require authentication upon booting into single-user and maintenance modes.

Examples

include rhel7stig::v204439

Parameters

The following parameters are available in the rhel7stig::v204439 class:

grub_passwd_hash

`grub_passwd_hash`

Data type: String

The GRUB password hash. Create with old version of 'grub2-mkpasswd-pbkdf2' command.

Default value: lookup('rhel7stig::grub_passwd_hash', String, 'first')

`rhel7stig::v204440`

UEFI systems require a GRUB password (RHEL 7.3 and later)

Note Vul ID: V-204440 Rule ID: SV-204440r505924_rule STIG ID: RHEL-07-010491 Severity: CAT I Classification: Unclass Legacy IDs: V-81007; SV-95719

Parameters

The following parameters are available in the rhel7stig::v204440 class:

grub_passwd_hash

`grub_passwd_hash`

Data type: String

The GRUB password hash. Created with 'grub2-mkpasswd-pbkdf2' command.

Default value: lookup('rhel7stig::grub_passwd_hash', String, 'first')

`rhel7stig::v204441`

Severity: CAT II Classification: Unclass Legacy IDs: V-71965; SV-86589

users (or processes acting on behalf of organizational users) using multifactor authentication.

Note Vul ID: V-204441 Rule ID: SV-204441r505924_rule STIG ID: RHEL-07-010500

`rhel7stig::v204442`

The rsh-server package must not be installed

Note Vul ID: V-204442 Rule ID: SV-204442r505924_rule STIG ID: RHEL-07-020000 Severity: CAT I Classification: Unclass Legacy IDs: V-71967; SV-86591

`rhel7stig::v204443`

The ypserv package must not be installed

Note Vul ID: V-204443 Rule ID: SV-204443r505924_rule STIG ID: RHEL-07-020010 Severity: CAT I Classification: Unclass Legacy IDs: V-71969; SV-86593

`rhel7stig::v204444`

rhel7stig::v204444::user_map: '%wheel': staff_u

Note Vul ID: V-204444 Rule ID: SV-204444r505924_rule STIG ID: RHEL-07-020020 Severity: CAT II Classification: Unclass Legacy IDs: V-71971; SV-86595

Examples

Hiera data example to map the 'wheel' group to the 'staff_u' SELinux user role:

Parameters

The following parameters are available in the rhel7stig::v204444 class:

user_map
ssh_sysadm_login

`user_map`

Data type: Hash

A hash of privileged users, or groups when prefixed with '%', mapped to SELinux user roles. The module will map the 'default' user to 'user_u' and the root user to 'unconfined_u'. With no other mappings, all other users are effectively mapped to 'user_u' by the 'default' entry. Note that per the STIG, admin accounts should map to either the 'sysadm_u' or 'staff_u' SELinux user role.

Default value: {}

`ssh_sysadm_login`

Data type: Boolean

Control the SELinux boolean of the same name.

Default value: true

`rhel7stig::v204445`

Verify file integrity at least weekly

Note Vul ID: V-204445 Rule ID: SV-204445r505924_rule STIG ID: RHEL-07-020030 Severity: CAT II Classification: Unclass Legacy IDs: V-71973; SV-86597

Parameters

The following parameters are available in the rhel7stig::v204445 class:

frequency
email

`frequency`

Data type: Enum['daily', 'weekly']

Should the AIDE cron job be run daily or weekly? (weekly)

Default value: 'weekly'

`email`

Data type: String

Email address as the notification destination

Default value: "root@${facts['fqdn']}"

`rhel7stig::v204446`

Notify the administrator of changes to the baseline

Note Vul ID: V-204446 Rule ID: SV-204446r505924_rule STIG ID: RHEL-07-020040 Severity: CAT II Classification: Unclass Legacy IDs: V-71975; SV-86599

Parameters

The following parameters are available in the rhel7stig::v204446 class:

frequency
email

`frequency`

Data type: Enum['daily', 'weekly']

Should the AIDE cron job be run daily or weekly? (weekly)

Default value: 'weekly'

`email`

Data type: String

Email address as the notification destination

Default value: "root@${facts['fqdn']}"

`rhel7stig::v204447`

Require gpgcheck for installing yum packages

Note Vul ID: V-204447 Rule ID: SV-204447r505924_rule STIG ID: RHEL-07-020050 Severity: CAT I Classification: Unclass Legacy IDs: V-71977; SV-86601

`rhel7stig::v204448`

Require localpkg_gpgcheck for installing yum packages

Note Vul ID: V-204448 Rule ID: SV-204448r505924_rule STIG ID: RHEL-07-020060 Severity: CAT I Classification: Unclass Legacy IDs: V-71979; SV-86603

`rhel7stig::v204449`

Disable USB mass storage

Note Vul ID: V-204449 Rule ID: SV-204449r505924_rule STIG ID: RHEL-07-020100 Severity: CAT II Classification: Unclass Legacy IDs: V-71983; SV-86607

`rhel7stig::v204450`

Disable DCCP kernel module

Note Vul ID: V-204450 Rule ID: SV-204450r505924_rule STIG ID: RHEL-07-020101 Severity: CAT II Classification: Unclass Legacy IDs: V-77821; SV-92517

`rhel7stig::v204451`

Disable the autofs service unless required

Note Vul ID: V-204451 Rule ID: SV-204451r505924_rule STIG ID: RHEL-07-020110 Severity: CAT II Classification: Unclass Legacy IDs: V-71985; SV-86609

`rhel7stig::v204452`

Old package versions must be removed

Note Vul ID: V-204452 Rule ID: SV-204452r505924_rule STIG ID: RHEL-07-020200 Severity: CAT III Classification: Unclass Legacy IDs: V-71987; SV-86611

`rhel7stig::v204455`

Disable the x86 Ctrl-Alt-Delete key sequence from the command line

Note Vul ID: V-204455 Rule ID: SV-204455r505924_rule STIG ID: RHEL-07-020230 Severity: CAT I Classification: Unclass Legacy IDs: V-71993; SV-86617

`rhel7stig::v204456`

Disable the x86 Ctrl-Alt-Delete key sequence from the GUI

Note Vul ID: V-204456 Rule ID: SV-204456r505924_rule STIG ID: RHEL-07-020231 Severity: CAT I Classification: Unclass Legacy IDs: V-94843; SV-104673

`rhel7stig::v204457`

Set the default UMASK

Note Vul ID: V-204457 Rule ID: SV-204457r505924_rule STIG ID: RHEL-07-020240 Severity: CAT II Classification: Unclass Legacy IDs: V-71995; SV-86619

`rhel7stig::v204458`

The system must run a supported operating system release.

Note Vul ID: V-204458 Rule ID: SV-204458r505924_rule STIG ID: RHEL-07-020250 Severity: CAT I Classification: Unclass Legacy IDs: V-71997; SV-86621

`rhel7stig::v204459`

The system security patches and updates must be installed and up to date.

Note Vul ID: V-204459 Rule ID: SV-204459r505924_rule STIG ID: RHEL-07-020260 Severity: CAT II Classification: Unclass Legacy IDs: V-71999; SV-86623

`rhel7stig::v204460`

The system must not have unnecessary accounts.

Note Vul ID: V-204460 Rule ID: SV-204460r505924_rule STIG ID: RHEL-07-020270 Severity: CAT II Classification: Unclass Legacy IDs: V-72001; SV-86625

Parameters

The following parameters are available in the rhel7stig::v204460 class:

unauthorized

`unauthorized`

Data type: Array

An array of user names known to be unauthorized

Default value: [ 'games', 'gopher', ]

`rhel7stig::v204461`

All Group Identifiers (GIDs) referenced in /etc/passwd file must be defined in the /etc/group file.

Note Vul ID: V-204461 Rule ID: SV-204461r505924_rule STIG ID: RHEL-07-020300 Severity: CAT III Classification: Unclass Legacy IDs: V-72003; SV-86627

`rhel7stig::v204462`

There must be only one user with UID 0

Note Vul ID: V-204462 Rule ID: SV-204462r505924_rule STIG ID: RHEL-07-020310 Severity: CAT I Classification: Unclass Legacy IDs: V-72005; SV-86629

`rhel7stig::v204463`

All files and directories must have a valid owner.

Note Vul ID: V-204463 Rule ID: SV-204463r505924_rule STIG ID: RHEL-07-020320 Severity: CAT II Classification: Unclass Legacy IDs: V-72007; SV-86631

`rhel7stig::v204464`

All files and directories must have a valid group owner.

Note Vul ID: V-204464 Rule ID: SV-204464r505924_rule STIG ID: RHEL-07-020330 Severity: CAT II Classification: Unclass Legacy IDs: V-72009; SV-86633

`rhel7stig::v204466`

All local interactive user accounts should have an assigned home directory

Note Vul ID: V-204466 Rule ID: SV-204466r505924_rule STIG ID: RHEL-07-020610 Severity: CAT II Classification: Unclass Legacy IDs: V-72013; SV-86637

`rhel7stig::v204467`

The system must have all local interactive users configured with a home directory in the /etc/passwd file.

Note Vul ID: V-204467 Rule ID: SV-204467r505924_rule STIG ID: RHEL-07-020620 Severity: CAT II Classification: Unclass Legacy IDs: V-72015; SV-86639

`rhel7stig::v204468`

The system must be configured so that all local interactive user home directories have mode 0750 or less permissive.

Note Vul ID: V-204468 Rule ID: SV-204468r505924_rule STIG ID: RHEL-07-020630 Severity: CAT II Classification: Unclass Legacy IDs: V-72017; SV-86641

`rhel7stig::v204469`

The system must be configured so that all local interactive user home directories owned by their respective users.

Note Vul ID: V-204469 Rule ID: SV-204469r505924_rule STIG ID: RHEL-07-020640 Severity: CAT II Classification: Unclass Legacy IDs: V-72019; SV-86643

`rhel7stig::v204470`

Home directories must be group-owned by the home directory owners primary group.

Note Vul ID: V-204470 Rule ID: SV-204470r505924_rule STIG ID: RHEL-07-020650 Severity: CAT II Classification: Unclass Legacy IDs: V-72021; SV-86645

`rhel7stig::v204471`

All files and directories contained in local interactive user home directories must be owned by the owner of the home directory.

Note Vul ID: V-204471 Rule ID: SV-204471r505924_rule STIG ID: RHEL-07-020660 Severity: CAT II Classification: Unclass Legacy IDs: V-72023; SV-86647

`rhel7stig::v204472`

Contents of user home directories must be group-owned by a group where the home directory owner is a member

Note Vul ID: V-204472 Rule ID: SV-204472r505924_rule STIG ID: RHEL-07-020670 Severity: CAT II Classification: Unclass Legacy IDs: V-72025; SV-86649

`rhel7stig::v204473`

All contents of local interactive user home directories must have a mode of 0750 or less permissive.

Note Vul ID: V-204473 Rule ID: SV-204473r505924_rule STIG ID: RHEL-07-020680 Severity: CAT II Classification: Unclass Legacy IDs: V-72027; SV-86651

`rhel7stig::v204474`

All local initialization files for interactive users must be owned by the home directory user or root.

Note Vul ID: V-204474 Rule ID: SV-204474r505924_rule STIG ID: RHEL-07-020690 Severity: CAT II Classification: Unclass Legacy IDs: V-72029; SV-86653

`rhel7stig::v204475`

All local initialization files for interactive users must be group-owned by the users primary group or root.

Note Vul ID: V-204475 Rule ID: SV-204475r505924_rule STIG ID: RHEL-07-020700 Severity: CAT II Classification: Unclass Legacy IDs: V-72031; SV-86655

`rhel7stig::v204476`

have mode 0740 or less permissive.

Note Vul ID: V-204476 Rule ID: SV-204476r505924_rule STIG ID: RHEL-07-020710 Severity: CAT II Classification: Unclass Legacy IDs: V-72033; SV-86657

`rhel7stig::v204477`

All local initialization files executable search paths resolve only to the users home directory.

Note Vul ID: V-204477 Rule ID: SV-204477r505924_rule STIG ID: RHEL-07-020720 Severity: CAT II Classification: Unclass Legacy IDs: V-72035; SV-86659

`rhel7stig::v204478`

All local initialization files do not execute world-writable programs.

Note Vul ID: V-204478 Rule ID: SV-204478r505924_rule STIG ID: RHEL-07-020730 Severity: CAT II Classification: Unclass Legacy IDs: V-72037; SV-86661

`rhel7stig::v204479`

All system device files must be correctly labeled to prevent unauthorized modification.

Note Vul ID: V-204479 Rule ID: SV-204479r505924_rule STIG ID: RHEL-07-020900 Severity: CAT II Classification: Unclass Legacy IDs: V-72039; SV-86663

`rhel7stig::v204480`

File systems containing home directories must prevent files with the setuid and setgid bit set from being executed.

Note Vul ID: V-204480 Rule ID: SV-204480r505924_rule STIG ID: RHEL-07-021000 Severity: CAT II Classification: Unclass Legacy IDs: V-72041; SV-86665

`rhel7stig::v204481`

Prevent setuid and setgid files from being executed via removable media.

Note Vul ID: V-204481 Rule ID: SV-204481r505924_rule STIG ID: RHEL-07-021010 Severity: CAT II Classification: Unclass Legacy IDs: V-72043; SV-86667

`rhel7stig::v204482`

Prevent setuid files from being executed via Network File System (NFS).

Note Vul ID: V-204482 Rule ID: SV-204482r505924_rule STIG ID: RHEL-07-021020 Severity: CAT II Classification: Unclass Legacy IDs: V-72045; SV-86669

`rhel7stig::v204483`

The system must prevent binary files from being executed on file systems that are being imported via NFS.

Note Vul ID: V-204483 Rule ID: SV-204483r505924_rule STIG ID: RHEL-07-021021 Severity: CAT II Classification: Unclass Legacy IDs: V-73161; SV-87813

`rhel7stig::v204486`

The system must mount /dev/shm with secure options

Note Vul ID: V-204486 Rule ID: SV-204486r505924_rule STIG ID: RHEL-07-021024 Severity: CAT III Classification: Unclass Legacy IDs: V-81013; SV-95725

`rhel7stig::v204487`

all world-writable directories are group-owned by root, sys, bin, or an application group.

Note Vul ID: V-204487 Rule ID: SV-204487r505924_rule STIG ID: RHEL-07-021030 Severity: CAT II Classification: Unclass Legacy IDs: V-72047; SV-86671

`rhel7stig::v204488`

The system must set the umask value to 077 for all local interactive user accounts.

Note Vul ID: V-204488 Rule ID: SV-204488r505924_rule STIG ID: RHEL-07-021040 Severity: CAT II Classification: Unclass Legacy IDs: V-72049; SV-86673

`rhel7stig::v204489`

The system must have cron logging implemented.

Note Vul ID: V-204489 Rule ID: SV-204489r505924_rule STIG ID: RHEL-07-021100 Severity: CAT II Classification: Unclass Legacy IDs: V-72051; SV-86675

`rhel7stig::v204490`

The '/etc/cron.allow' file must be owned by root when present

Note Vul ID: V-204490 Rule ID: SV-204490r505924_rule STIG ID: RHEL-07-021110 Severity: CAT II Classification: Unclass Legacy IDs: V-72053; SV-86677

`rhel7stig::v204491`

The '/etc/cron.allow' file must be group owned by root when present

Note Vul ID: V-204491 Rule ID: SV-204491r505924_rule STIG ID: RHEL-07-021120 Severity: CAT II Classification: Unclass Legacy IDs: V-72055; SV-86679

`rhel7stig::v204492`

Disable kernerl core dumps

Note Vul ID: V-204492 Rule ID: SV-204492r505924_rule STIG ID: RHEL-07-021300 Severity: CAT II Classification: Unclass Legacy IDs: V-72057; SV-86681

`rhel7stig::v204493`

Home directories must be located on a separate file system

Note Vul ID: V-204493 Rule ID: SV-204493r505924_rule STIG ID: RHEL-07-021310 Severity: CAT III Classification: Unclass Legacy IDs: V-72059; SV-86683

`rhel7stig::v204494`

Home directories must be located on a separate file system

Note Vul ID: V-204494 Rule ID: SV-204494r505924_rule STIG ID: RHEL-07-021320 Severity: CAT III Classification: Unclass Legacy IDs: V-72061; SV-86685

`rhel7stig::v204495`

Audit data must be located on a separate file system

Note Vul ID: V-204495 Rule ID: SV-204495r505924_rule STIG ID: RHEL-07-021330 Severity: CAT III Classification: Unclass Legacy IDs: V-72063; SV-86687

`rhel7stig::v204496`

The /tmp directory must be located on a separate file system

Note Vul ID: V-204496 Rule ID: SV-204496r505924_rule STIG ID: RHEL-07-021340 Severity: CAT III Classification: Unclass Legacy IDs: V-72065; SV-86689

`rhel7stig::v204498`

The system must use a file integrity tool to verify ACLs.

Note Vul ID: V-204498 Rule ID: SV-204498r505924_rule STIG ID: RHEL-07-02160 Severity: CAT III Classification: Unclass Legacy IDs: V-72069; SV-86693

Parameters

The following parameters are available in the rhel7stig::v204498 class:

action

`action`

Data type: Enum['fix', 'warn']

One of "fix" or "warn".

Default value: 'fix'

`rhel7stig::v204499`

The system must use a file integrity tool to verify extended attributes.

Note Vul ID: V-204499 Rule ID: SV-204499r505924_rule STIG ID: RHEL-07-021610 Severity: CAT III Classification: Unclass Legacy IDs: V-72071; SV-86695

Parameters

The following parameters are available in the rhel7stig::v204499 class:

action

`action`

Data type: Enum['fix', 'warn']

One of "fix" or "warn".

Default value: 'fix'

`rhel7stig::v204500`

The system must use FIPS 140-2 cryptographic hashes to validate files and directories.

Note Vul ID: V-204500 Rule ID: SV-204500r505924_rule STIG ID: RHEL-07-021620 Severity: CAT II Classification: Unclass Legacy IDs: V-72073; SV-86697

Parameters

The following parameters are available in the rhel7stig::v204500 class:

action

`action`

Data type: Enum['fix', 'warn']

One of "fix" or "warn".

Default value: 'fix'

`rhel7stig::v204501`

The system must not allow removable media to be used as the boot loader unless approved.

Note Vul ID: V-204501 Rule ID: SV-204501r505924_rule STIG ID: RHEL-07-021700 Severity: CAT II Classification: Unclass Legacy IDs: V-72075; SV-86699

`rhel7stig::v204502`

The system must not have the telnet-server package installed

Note Vul ID: V-204502 Rule ID: SV-204502r505924_rule STIG ID: RHEL-07-021710 Severity: CAT I Classification: Unclass Legacy IDs: V-72077; SV-86701

`rhel7stig::v204503`

The system must have auditing enabled

Note Vul ID: V-204503 Rule ID: SV-204503r505924_rule STIG ID: RHEL-07-030000 Severity: CAT II Classification: Unclass Legacy IDs: V-72079; SV-86703

`rhel7stig::v204504`

The system must shut down on audit failure

Note Vul ID: V-204504 Rule ID: SV-204504r505924_rule STIG ID: RHEL-07-030010 Severity: CAT II Classification: Unclass Legacy IDs: V-72081; SV-86705

Parameters

The following parameters are available in the rhel7stig::v204504 class:

fail_mode

`fail_mode`

Data type: Integer[1, 2]

Number that determines the action

Default value: 2

`rhel7stig::v204506`

system or storage media from the system being audited.

Note Vul ID: V-204506 Rule ID: SV-204506r505924_rule STIG ID: RHEL-07-030201 Severity: CAT II Classification: Unclass Legacy IDs: V-81017; SV-95729

`rhel7stig::v204507`

The system should take appropriate action when the remote logging buffer is full.

Note Vul ID: V-204507 Rule ID: SV-204507r505924_rule STIG ID: RHEL-07-030210 Severity: CAT II Classification: Unclass Legacy IDs: V-81019; SV-95731

Parameters

The following parameters are available in the rhel7stig::v204507 class:

overflow_action

`overflow_action`

Data type: Enum['syslog', 'single', 'halt']

The action to be taken when the log buffer is full

Default value: 'syslog'

`rhel7stig::v204508`

Off-loaded audit logs must be labeled before sending them to the central log server.

Note Vul ID: V-204508 Rule ID: SV-204508r505924_rule STIG ID: RHEL-07-030211 Severity: CAT II Classification: Unclass Legacy IDs: V-81021; SV-95733

Parameters

The following parameters are available in the rhel7stig::v204508 class:

name_format

`name_format`

Data type: Enum['hostname', 'fqd', 'numeric']

Identifying data added to log events when forwarding logs to a remote server

Default value: 'hostname'

`rhel7stig::v204509`

Audit records must be off-loaded to a different system or media

Note Vul ID: V-204509 Rule ID: SV-204509r505924_rule STIG ID: RHEL-07-030300 Severity: CAT II Classification: Unclass Legacy IDs: V-72083; SV-86707

Parameters

The following parameters are available in the rhel7stig::v204509 class:

remote_server

`remote_server`

Data type: String

Hostname or IP address of the destination server where audit logs will be sent.

`rhel7stig::v204510`

The system must encrypt the transfer of off-loaded audit records

Note Vul ID: V-204510 Rule ID: SV-204510r505924_rule STIG ID: RHEL-07-030310 Severity: CAT II Classification: Unclass Legacy IDs: V-72085; SV-86709

`rhel7stig::v204511`

The audit system must take appropriate action when the audit storage volume is full.

Note Vul ID: V-204511 Rule ID: SV-204511r505924_rule STIG ID: RHEL-07-030320 Severity: CAT II Classification: Unclass Legacy IDs: V-72087; SV-86711

Parameters

The following parameters are available in the rhel7stig::v204511 class:

disk_full_action

`disk_full_action`

Data type: Enum['syslog', 'single', 'halt']

System response when unable to save audit logs due to lack of storage

Default value: 'syslog'

`rhel7stig::v204512`

The system must take appropriate action when there is an error off-loading audit records

Note Vul ID: V-204512 Rule ID: SV-204512r505924_rule STIG ID: RHEL-07-030321 Severity: CAT II Classification: Unclass Legacy IDs: V-73163; SV-87815

Parameters

The following parameters are available in the rhel7stig::v204512 class:

network_failure_action

`network_failure_action`

Data type: Enum['syslog', 'single', 'halt']

System response when unable to send audit records to the remote log server

Default value: 'syslog'

`rhel7stig::v204513`

The system must notify the administrator when audit storage reached 75% of capacity

Note Vul ID: V-204513 Rule ID: SV-204513r505924_rule STIG ID: RHEL-07-030330 Severity: CAT II Classification: Unclass Legacy IDs: V-72089; SV-86713

Parameters

The following parameters are available in the rhel7stig::v204513 class:

space_left

`space_left`

Data type: Integer

Number as a percentage of free disk space in /var/log/audit for alerting the system administrator

Default value: 25

`rhel7stig::v204514`

The system must notify the administrator via email when the audit storage capacity is reached

Note Vul ID: V-204514 Rule ID: SV-204514r505924_rule STIG ID: RHEL-07-030340 Severity: CAT II Classification: Unclass Legacy IDs: V-72091; SV-86715

Parameters

The following parameters are available in the rhel7stig::v204514 class:

space_left_action

`space_left_action`

Data type: String

Action to take when the audit storage capacity threshold is reached

Default value: 'email'

`rhel7stig::v204515`

The system must notify the administrator and ISSO when audit storage capacity is reached

Note Vul ID: V-204515 Rule ID: SV-204515r505924_rule STIG ID: RHEL-07-030350 Severity: CAT II Classification: Unclass Legacy IDs: V-72093; SV-86717

Parameters

The following parameters are available in the rhel7stig::v204515 class:

action_mail_acct

`action_mail_acct`

Data type: String

Account to notify when the audit storage threshold is reached

Default value: 'root'

`rhel7stig::v204516`

The system must audit all executions of privileged functions.

Note Vul ID: V-204516 Rule ID: SV-204516r505924_rule STIG ID: RHEL-07-030360 Severity: CAT II Classification: Unclass Legacy IDs: V-72095; SV-86719

`rhel7stig::v204517`

The system must audit all uses of the chown syscall.

Note Vul ID: V-204517 Rule ID: SV-204517r505924_rule STIG ID: RHEL-07-030370 Severity: CAT II Classification: Unclass Legacy IDs: V-72097; SV-86721

Parameters

The following parameters are available in the rhel7stig::v204517 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204518`

The system must audit all uses of the fchown syscall.

Note Vul ID: V-204518 Rule ID: SV-204518r505924_rule STIG ID: RHEL-07-030380 Severity: CAT II Classification: Unclass Legacy IDs: V-72099; SV-86723

Parameters

The following parameters are available in the rhel7stig::v204518 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204519`

The system must audit all uses of the lchown syscall.

Note Vul ID: V-204519 Rule ID: SV-204519r505924_rule STIG ID: RHEL-07-030390 Severity: CAT II Classification: Unclass Legacy IDs: V-72101; SV-86725

Parameters

The following parameters are available in the rhel7stig::v204519 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204520`

The system must audit all uses of the fchownat syscall.

Note Vul ID: V-204520 Rule ID: SV-204520r505924_rule STIG ID: RHEL-07-030400 Severity: CAT II Classification: Unclass Legacy IDs: V-72103; SV-86727

Parameters

The following parameters are available in the rhel7stig::v204520 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204521`

The system must audit all uses of the chmod syscall.

Note Vul ID: V-204521 Rule ID: SV-204521r505924_rule STIG ID: RHEL-07-030410 Severity: CAT II Classification: Unclass Legacy IDs: V-72105; SV-86729

Parameters

The following parameters are available in the rhel7stig::v204521 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204522`

The system must audit all uses of the fchmod syscall.

Note Vul ID: V-204522 Rule ID: SV-204522r505924_rule STIG ID: RHEL-07-030420 Severity: CAT II Classification: Unclass Legacy IDs: V-72107; SV-86731

Parameters

The following parameters are available in the rhel7stig::v204522 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204523`

The system must audit all uses of the fchmodat syscall.

Note Vul ID: V-204523 Rule ID: SV-204523r505924_rule STIG ID: RHEL-07-030430 Severity: CAT II Classification: Unclass Legacy IDs: V-72109; SV-86733

Parameters

The following parameters are available in the rhel7stig::v204523 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204524`

The system must audit all uses of the setxattr syscall.

Note Vul ID: V-204524 Rule ID: SV-204524r505924_rule STIG ID: RHEL-07-030440 Severity: CAT II Classification: Unclass Legacy IDs: V-72111; SV-86735

Parameters

The following parameters are available in the rhel7stig::v204524 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204525`

The system must audit all uses of the fsetxattr syscall.

Note Vul ID: V-204525 Rule ID: SV-204525r505924_rule STIG ID: RHEL-07-030450 Severity: CAT II Classification: Unclass Legacy IDs: V-72113; SV-86737

Parameters

The following parameters are available in the rhel7stig::v204525 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204526`

The system must audit all uses of the lsetxattr syscall.

Note Vul ID: V-204526 Rule ID: SV-204526r505924_rule STIG ID: RHEL-07-030460 Severity: CAT II Classification: Unclass Legacy IDs: V-72115; SV-86739

Parameters

The following parameters are available in the rhel7stig::v204526 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204527`

The system must audit all uses of the removexattr syscall.

Note Vul ID: V-204527 Rule ID: SV-204527r505924_rule STIG ID: RHEL-07-030470 Severity: CAT II Classification: Unclass Legacy IDs: V-72117; SV-86741

Parameters

The following parameters are available in the rhel7stig::v204527 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204528`

The system must audit all uses of the fremovexattr syscall.

Note Vul ID: V-204528 Rule ID: SV-204528r505924_rule STIG ID: RHEL-07-030480 Severity: CAT II Classification: Unclass Legacy IDs: V-72119; SV-86743

Parameters

The following parameters are available in the rhel7stig::v204528 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204529`

The system must audit all uses of the lremovexattr syscall.

Note Vul ID: V-204529 Rule ID: SV-204529r505924_rule STIG ID: RHEL-07-030490 Severity: CAT II Classification: Unclass Legacy IDs: V-72121; SV-86745

Parameters

The following parameters are available in the rhel7stig::v204529 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204530`

The system must audit all uses of the creat syscall.

Note Vul ID: V-204530 Rule ID: SV-204530r505924_rule STIG ID: RHEL-07-030500 Severity: CAT II Classification: Unclass Legacy IDs: V-72123; SV-86747

Parameters

The following parameters are available in the rhel7stig::v204530 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204531`

The system must audit all uses of the open syscall.

Note Vul ID: V-204531 Rule ID: SV-204531r505924_rule STIG ID: RHEL-07-030510 Severity: CAT II Classification: Unclass Legacy IDs: V-72125; SV-86749

Parameters

The following parameters are available in the rhel7stig::v204531 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204532`

The system must audit all uses of the openat syscall.

Note Vul ID: V-204532 Rule ID: SV-204532r505924_rule STIG ID: RHEL-07-030520 Severity: CAT II Classification: Unclass Legacy IDs: V-72127; SV-86751

Parameters

The following parameters are available in the rhel7stig::v204532 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204533`

The system must audit all uses of the open_by_handle_at syscall.

Note Vul ID: V-204533 Rule ID: SV-204533r505924_rule STIG ID: RHEL-07-030530 Severity: CAT II Classification: Unclass Legacy IDs: V-72129; SV-86753

Parameters

The following parameters are available in the rhel7stig::v204533 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204534`

The system must audit all uses of the truncate syscall.

Note Vul ID: V-204534 Rule ID: SV-204534r505924_rule STIG ID: RHEL-07-030540 Severity: CAT II Classification: Unclass Legacy IDs: V-72131; SV-86755

Parameters

The following parameters are available in the rhel7stig::v204534 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204535`

The system must audit all uses of the ftruncate syscall.

Note Vul ID: V-204535 Rule ID: SV-204535r505924_rule STIG ID: RHEL-07-030550 Severity: CAT II Classification: Unclass Legacy IDs: V-72133; SV-86757

Parameters

The following parameters are available in the rhel7stig::v204535 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204536`

The system must audit all uses of the semanage command.

Note Vul ID: V-204536 Rule ID: SV-204536r505924_rule STIG ID: RHEL-07-030560 Severity: CAT II Classification: Unclass Legacy IDs: V-72135; SV-86759

`rhel7stig::v204537`

The system must audit all uses of the setsebool command.

Note Vul ID: V-204537 Rule ID: SV-204537r505924_rule STIG ID: RHEL-07-030570 Severity: CAT II Classification: Unclass Legacy IDs: V-72137; SV-86761

`rhel7stig::v204538`

The system must audit all uses of the chcon command.

Note Vul ID: V-204538 Rule ID: SV-204538r505924_rule STIG ID: RHEL-07-030580 Severity: CAT II Classification: Unclass Legacy IDs: V-72139; SV-86763

`rhel7stig::v204539`

The system must audit all uses of the setfiles command.

Note Vul ID: V-204539 Rule ID: SV-204539r505924_rule STIG ID: RHEL-07-030590 Severity: CAT II Classification: Unclass Legacy IDs: V-72141; SV-86765

`rhel7stig::v204540`

The system must audit all unsuccessful account access events.

Note Vul ID: V-204540 Rule ID: SV-204540r505924_rule STIG ID: RHEL-07-030610 Severity: CAT II Classification: Unclass Legacy IDs: V-72145; SV-86769

`rhel7stig::v204541`

Severity: CAT II Classification: Unclass Legacy IDs: V-72147; SV-86771

Note Vul ID: V-204541 Rule ID: SV-204541r505924_rule STIG ID: RHEL-07-030620

`rhel7stig::v204542`

Severity: CAT II Classification: Unclass Legacy IDs: V-72149; SV-86773

Note Vul ID: V-204542 Rule ID: SV-204542r505924_rule STIG ID: RHEL-07-030630

`rhel7stig::v204543`

The system must audit all uses of the unix_chkpwd command.

Note Vul ID: V-204543 Rule ID: SV-204543r505924_rule STIG ID: RHEL-07-030640 Severity: CAT II Classification: Unclass Legacy IDs: V-72151; SV-86775

`rhel7stig::v204544`

Severity: CAT II Classification: Unclass Legacy IDs: V-72153; SV-86777

Note Vul ID: V-204544 Rule ID: SV-204544r505924_rule STIG ID: RHEL-07-030650

`rhel7stig::v204545`

The system must audit all uses of the chage command.

Note Vul ID: V-204545 Rule ID: SV-204545r505924_rule STIG ID: RHEL-07-030660 Severity: CAT II Classification: Unclass Legacy IDs: V-72155; SV-86779

`rhel7stig::v204546`

The system must audit all uses of the userhelper command.

Note Vul ID: V-204546 Rule ID: SV-204546r505924_rule STIG ID: RHEL-07-030670 Severity: CAT II Classification: Unclass Legacy IDs: V-72157; SV-86781

`rhel7stig::v204547`

The system must audit all uses of the su command.

Note Vul ID: V-204547 Rule ID: SV-204547r505924_rule STIG ID: RHEL-07-030680 Severity: CAT II Classification: Unclass Legacy IDs: V-72159; SV-86783

`rhel7stig::v204548`

The system must audit all uses of the sudo command.

Note Vul ID: V-204548 Rule ID: SV-204548r505924_rule STIG ID: RHEL-07-030690 Severity: CAT II Classification: Unclass Legacy IDs: V-72161; SV-86785

`rhel7stig::v204549`

The system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.

Note Vul ID: V-204549 Rule ID: SV-204549r505924_rule STIG ID: RHEL-07-030700 Severity: CAT II Classification: Unclass Legacy IDs: V-72163; SV-86787

`rhel7stig::v204550`

The system must audit all uses of the newgrp command.

Note Vul ID: V-204550 Rule ID: SV-204550r505924_rule STIG ID: RHEL-07-030710 Severity: CAT II Classification: Unclass Legacy IDs: V-72165; SV-86789

`rhel7stig::v204551`

The system must audit all uses of the chsh command.

Note Vul ID: V-204551 Rule ID: SV-204551r505924_rule STIG ID: RHEL-07-030720 Severity: CAT II Classification: Unclass Legacy IDs: V-72167; SV-86791

`rhel7stig::v204552`

The system must audit all uses of the mount command and syscall.

Note Vul ID: V-204552 Rule ID: SV-204552r505924_rule STIG ID: RHEL-07-030740 Severity: CAT II Classification: Unclass Legacy IDs: V-72171; SV-86795

`rhel7stig::v204553`

The system must audit all uses of the umount command.

Note Vul ID: V-204553 Rule ID: SV-204553r505924_rule STIG ID: RHEL-07-030750 Severity: CAT II Classification: Unclass Legacy IDs: V-72173; SV-86797

`rhel7stig::v204554`

Severity: CAT II Classification: Unclass Legacy IDs: V-72175; SV-86799

Note Vul ID: V-204554 Rule ID: SV-204554r505924_rule STIG ID: RHEL-07-030760

`rhel7stig::v204555`

The system must audit all executions of postqueue command.

Note Vul ID: V-204555 Rule ID: SV-204555r505924_rule STIG ID: RHEL-07-030770 Severity: CAT II Classification: Unclass Legacy IDs: V-72177; SV-86801

`rhel7stig::v204556`

The system must audit all executions of ssh-keysign command.

Note Vul ID: V-204556 Rule ID: SV-204556r505924_rule STIG ID: RHEL-07-030780 Severity: CAT II Classification: Unclass Legacy IDs: V-72179; SV-86803

`rhel7stig::v204557`

The system must audit all executions of crontab command.

Note Vul ID: V-204557 Rule ID: SV-204557r505924_rule STIG ID: RHEL-07-030800 Severity: CAT II Classification: Unclass Legacy IDs: V-72183; SV-86807

`rhel7stig::v204558`

The system must audit all executions of pam_timestamp_check command.

Note Vul ID: V-204558 Rule ID: SV-204558r505924_rule STIG ID: RHEL-07-030810 Severity: CAT II Classification: Unclass Legacy IDs: V-72185; SV-86809

`rhel7stig::v204559`

The system must audit all executions of the create_module syscall.

Note Vul ID: V-204559 Rule ID: SV-204559r505924_rule STIG ID: RHEL-07-030819 Severity: CAT II Classification: Unclass Legacy IDs: V-78999; SV-93705

Parameters

The following parameters are available in the rhel7stig::v204559 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204560`

The system must audit all executions of the init_module syscall.

Note Vul ID: V-204560 Rule ID: SV-204560r505924_rule STIG ID: RHEL-07-030820 Severity: CAT II Classification: Unclass Legacy IDs: V-72187; SV-86811

Parameters

The following parameters are available in the rhel7stig::v204560 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204561`

The system must audit all executions of the finit_module syscall.

Note Vul ID: V-204561 Rule ID: SV-204561r505924_rule STIG ID: RHEL-07-030821 Severity: CAT II Classification: Unclass Legacy IDs: V-79001; SV-93707

Parameters

The following parameters are available in the rhel7stig::v204561 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204562`

The system must audit all executions of the delete_module syscall.

Note Vul ID: V-204562 Rule ID: SV-204562r505924_rule STIG ID: RHEL-07-030830 Severity: CAT II Classification: Unclass Legacy IDs: V-72189; SV-86813

Parameters

The following parameters are available in the rhel7stig::v204562 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204563`

The system must audit all executions of the kmod command.

Note Vul ID: V-204563 Rule ID: SV-204563r505924_rule STIG ID: RHEL-07-030840 Severity: CAT II Classification: Unclass Legacy IDs: V-72191; SV-86815

`rhel7stig::v204564`

The system must audit all changes to /etc/passwd.

Note Vul ID: V-204564 Rule ID: SV-204564r505924_rule STIG ID: RHEL-07-030870 Severity: CAT II Classification: Unclass Legacy IDs: V-72197; SV-86821

`rhel7stig::v204565`

The system must audit all changes to /etc/group

Note Vul ID: V-204565 Rule ID: SV-204565r505924_rule STIG ID: RHEL-07-030871 Severity: CAT II Classification: Unclass Legacy IDs: V-73165; SV-87817

`rhel7stig::v204566`

The system must audit all changes to /etc/gshadow

Note Vul ID: V-204566 Rule ID: SV-204566r505924_rule STIG ID: RHEL-07-030872 Severity: CAT II Classification: Unclass Legacy IDs: V-73167; SV-87819

`rhel7stig::v204567`

The system must audit all changes to /etc/shadow

Note Vul ID: V-204567 Rule ID: SV-204567r505924_rule STIG ID: RHEL-07-030873 Severity: CAT II Classification: Unclass Legacy IDs: V-73171; SV-87823

`rhel7stig::v204568`

The system must audit all changes to /etc/opasswd

Note Vul ID: V-204568 Rule ID: SV-204568r505924_rule STIG ID: RHEL-07-030874 Severity: CAT II Classification: Unclass Legacy IDs: V-73173; SV-87825

`rhel7stig::v204569`

The system must audit all uses of the rename syscall.

Note Vul ID: V-204569 Rule ID: SV-204569r505924_rule STIG ID: RHEL-07-030880 Severity: CAT II Classification: Unclass Legacy IDs: V-72199; SV-86823

Parameters

The following parameters are available in the rhel7stig::v204569 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204570`

The system must audit all uses of the renameat syscall.

Note Vul ID: V-204570 Rule ID: SV-204570r505924_rule STIG ID: RHEL-07-030890 Severity: CAT II Classification: Unclass Legacy IDs: V-72201; SV-86825

Parameters

The following parameters are available in the rhel7stig::v204570 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204571`

The system must audit all uses of the rmdir syscall.

Note Vul ID: V-204571 Rule ID: SV-204571r505924_rule STIG ID: RHEL-07-030900 Severity: CAT II Classification: Unclass Legacy IDs: V-72203; SV-86827

Parameters

The following parameters are available in the rhel7stig::v204571 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204572`

The system must audit all uses of the unlink syscall.

Note Vul ID: V-204572 Rule ID: SV-204572r505924_rule STIG ID: RHEL-07-030910 Severity: CAT II Classification: Unclass Legacy IDs: V-72205; SV-86829

Parameters

The following parameters are available in the rhel7stig::v204572 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204573`

The system must audit all uses of the unlinkat syscall.

Note Vul ID: V-204573 Rule ID: SV-204573r505924_rule STIG ID: RHEL-07-030920 Severity: CAT II Classification: Unclass Legacy IDs: V-72207; SV-86831

Parameters

The following parameters are available in the rhel7stig::v204573 class:

efficient

`efficient`

Data type: Boolean

Bundle related syscall audits in a single rule. See 'System Call' in 'man 7 audit.rules'.

Default value: true

`rhel7stig::v204574`

The system must send rsyslog output to a log aggregation server.

Note Vul ID: V-204574 Rule ID: SV-204574r505924_rule STIG ID: RHEL-07-031000 Severity: CAT II Classification: Unclass Legacy IDs: V-72209; SV-86833

Parameters

The following parameters are available in the rhel7stig::v204574 class:

syslog_host

`syslog_host`

Data type: String

The hostname or IP address of the remote systlog server

`rhel7stig::v204575`

The system must not accept log messages from other servers unless the server is being used for log aggregation.

Note Vul ID: V-204575 Rule ID: SV-204575r505924_rule STIG ID: RHEL-07-031010 Severity: CAT II Classification: Unclass Legacy IDs: V-72211; SV-86835

Parameters

The following parameters are available in the rhel7stig::v204575 class:

authorized

`authorized`

Data type: Boolean

When true, the 'imtcp', 'imudp', and 'imrelp' modules will remain permitted in the rsyslog configuration files.

Default value: false

`rhel7stig::v204576`

The system must limit the number of concurrent sessions to 10 for all accounts and/or account types.

Note Vul ID: V-204576 Rule ID: SV-204576r505924_rule STIG ID: RHEL-07-040000 Severity: CAT III Classification: Unclass Legacy IDs: V-72217; SV-86841

Parameters

The following parameters are available in the rhel7stig::v204576 class:

maxlogins

`maxlogins`

Data type: Integer[1, 10]

Maximum number of permitted concurrent login sessions. Will be set in '/etc/security/limits.d/99-puppet.conf'

Default value: 10

`rhel7stig::v204577`

The system must limit all access to services except those documented IAW organizational requirements.

Note Vul ID: V-204577 Rule ID: SV-204577r505924_rule STIG ID: RHEL-07-040100 Severity: CAT II Classification: Unclass Legacy IDs: V-72219; SV-86843

`rhel7stig::v204578`

The system must use use a FIPS 140-2 approved cryptographic algorithm for SSH communications.

Note Vul ID: V-204578 Rule ID: SV-204578r505924_rule STIG ID: RHEL-07-040110 Severity: CAT II Classification: Unclass Legacy IDs: V-72221; SV-86845

`rhel7stig::v204579`

The system must terminate sessions after 15 minutes of inactivity

Note Vul ID: V-204579 Rule ID: SV-204579r505924_rule STIG ID: RHEL-07-040160 Severity: CAT II Classification: Unclass Legacy IDs: V-72223; SV-86847

Parameters

The following parameters are available in the rhel7stig::v204579 class:

tmout

`tmout`

Data type: Integer[1, 900]

The number of seconds idle time before a session is terminated

Default value: 900

`rhel7stig::v204580`

The system must display the DoD logon banner for remote access logon prompts

Note Vul ID: V-204580 Rule ID: SV-204580r505924_rule STIG ID: RHEL-07-040170 Severity: CAT II Classification: Unclass Legacy IDs: V-72225; SV-86849

`rhel7stig::v204581`

The system must implement cryptography to protect the integrity of LDAP authentication communications.

Note Vul ID: V-204581 Rule ID: SV-204581r505924_rule STIG ID: RHEL-07-040180 Severity: CAT II Classification: Unclass Legacy IDs: V-72227; SV-86851

`rhel7stig::v204582`

The system must implement cryptography to protect the integrity of LDAP communications.

Note Vul ID: V-204582 Rule ID: SV-204582r505924_rule STIG ID: RHEL-07-040190 Severity: CAT II Classification: Unclass Legacy IDs: V-72229; SV-86853

`rhel7stig::v204583`

The system must implement cryptography to protect the integrity of LDAP communications.

Note Vul ID: V-204583 Rule ID: SV-204583r505924_rule STIG ID: RHEL-07-040200 Severity: CAT II Classification: Unclass Legacy IDs: V-72231; SV-86855

`rhel7stig::v204584`

The system must implement virtual address space randomization.

Note Vul ID: V-204584 Rule ID: SV-204584r505924_rule STIG ID: RHEL-07-040201 Severity: CAT II Classification: Unclass Legacy IDs: V-77825; SV-92521

`rhel7stig::v204585`

The system must have SSH installed.

Note Vul ID: V-204585 Rule ID: SV-204585r505924_rule STIG ID: RHEL-07-040300 Severity: CAT II Classification: Unclass Legacy IDs: V-72233; SV-86857

`rhel7stig::v204586`

The system must have SSH loaded and active.

Note Vul ID: V-204586 Rule ID: SV-204586r505924_rule STIG ID: RHEL-07-040310 Severity: CAT II Classification: Unclass Legacy IDs: V-72235; SV-86859

`rhel7stig::v204587`

The system must terminate SSH connections at the end of the session or after 10 minutes of inactivity.

Note Vul ID: V-204587 Rule ID: SV-204587r505924_rule STIG ID: RHEL-07-040320 Severity: CAT II Classification: Unclass Legacy IDs: V-72237; SV-86861

Parameters

The following parameters are available in the rhel7stig::v204587 class:

client_alive_interval

`client_alive_interval`

Data type: Integer[1, 600]

Number of seconds before idle SSH sessions are terminated.

Default value: 600

`rhel7stig::v204588`

The system must not allow RSA rhosts authentication to the SSH service.

Note Vul ID: V-204588 Rule ID: SV-204588r505924_rule STIG ID: RHEL-07-040330 Severity: CAT II Classification: Unclass Legacy IDs: V-72239; SV-86863

`rhel7stig::v204589`

The system must terminate SSH connections after a period of inactivity.

Note Vul ID: V-204589 Rule ID: SV-204589r505924_rule STIG ID: RHEL-07-040340 Severity: CAT II Classification: Unclass Legacy IDs: V-72241; SV-86865

`rhel7stig::v204590`

The system must allow SSH authentication using rhosts.

Note Vul ID: V-204590 Rule ID: SV-204590r505924_rule STIG ID: RHEL-07-040350 Severity: CAT II Classification: Unclass Legacy IDs: V-72243; SV-86867

`rhel7stig::v204591`

The system must display the date and time of the last successful account logon upon an SSH logon.

Note Vul ID: V-204591 Rule ID: SV-204591r505924_rule STIG ID: RHEL-07-040360 Severity: CAT II Classification: Unclass Legacy IDs: V-72245; SV-86869

`rhel7stig::v204592`

The system must not permit direct logons to the root account using remote access via SSH.

Note Vul ID: V-204592 Rule ID: SV-204592r505924_rule STIG ID: RHEL-07-040370 Severity: CAT II Classification: Unclass Legacy IDs: V-72247; SV-86871

`rhel7stig::v204593`

The system must not not allow authentication using known hosts authentication to the SSH daemon.

Note Vul ID: V-204593 Rule ID: SV-204593r505924_rule STIG ID: RHEL-07-040380 Severity: CAT II Classification: Unclass Legacy IDs: V-72249; SV-86873

`rhel7stig::v204594`

The system must be configured so that the SSH daemon will only use the SSHv2 protocol.

Note Vul ID: V-204594 Rule ID: SV-204594r505924_rule STIG ID: RHEL-07-040390 Severity: CAT I Classification: Unclass Legacy IDs: V-72251; SV-86875

`rhel7stig::v204595`

The SSH daemon must only use (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

Note Vul ID: V-204595 Rule ID: SV-204595r505924_rule STIG ID: RHEL-07-040400 Severity: CAT II Classification: Unclass Legacy IDs: V-72253; SV-86877

`rhel7stig::v204596`

The SSH public host key files have mode 0644 or less permissive.

Note Vul ID: V-204596 Rule ID: SV-204596r505924_rule STIG ID: RHEL-07-040410 Severity: CAT II Classification: Unclass Legacy IDs: V-72255; SV-86879

`rhel7stig::v204597`

The SSH private host key files have mode 0640 or less permissive.

Note Vul ID: V-204597 Rule ID: SV-204597r505924_rule STIG ID: RHEL-07-040420 Severity: CAT II Classification: Unclass Legacy IDs: V-72257; SV-86881

`rhel7stig::v204598`

The SSH daemon does not permit GSSAPI authentication unless needed.

Note Vul ID: V-204598 Rule ID: SV-204598r505924_rule STIG ID: RHEL-07-040430 Severity: CAT II Classification: Unclass Legacy IDs: V-72259; SV-86883

`rhel7stig::v204599`

The SSH daemon does not permit Kerberos authentication unless needed.

Note Vul ID: V-204599 Rule ID: SV-204599r505924_rule STIG ID: RHEL-07-040440 Severity: CAT II Classification: Unclass Legacy IDs: V-72261; SV-86885

`rhel7stig::v204600`

checking of home directory configuration files.

Note Vul ID: V-204600 Rule ID: SV-204600r505924_rule STIG ID: RHEL-07-040450 Severity: CAT II Classification: Unclass Legacy IDs: V-72263; SV-86887

`rhel7stig::v204601`

The SSH daemon must use privilege separation.

Note Vul ID: V-204601 Rule ID: SV-204601r505924_rule STIG ID: RHEL-07-040460 Severity: CAT II Classification: Unclass Legacy IDs: V-72265; SV-86889

`rhel7stig::v204602`

The SSH daemon must not allow compression or only allows compression after successful authentication.

Note Vul ID: V-204602 Rule ID: SV-204602r505924_rule STIG ID: RHEL-07-040470 Severity: CAT II Classification: Unclass Legacy IDs: V-72267; SV-86891

`rhel7stig::v204603`

The system must synchronize the clock with an authoritative source.

Note Vul ID: V-204603 Rule ID: SV-204603r505924_rule STIG ID: RHEL-07-040500 Severity: CAT II Classification: Unclass Legacy IDs: V-72269; SV-86893

`rhel7stig::v204604`

The system must enable an application firewall.

Note Vul ID: V-204604 Rule ID: SV-204604r505924_rule STIG ID: RHEL-07-040520 Severity: CAT II Classification: Unclass Legacy IDs: V-72273; SV-86897

`rhel7stig::v204605`

The system must display the date and time of the last successful account logon upon logon.

Note Vul ID: V-204605 Rule ID: SV-204605r505924_rule STIG ID: RHEL-07-040530 Severity: CAT III Classification: Unclass Legacy IDs: V-72275; SV-86899

`rhel7stig::v204606`

The system must not not contain .shosts files.

Note Vul ID: V-204606 Rule ID: SV-204606r505924_rule STIG ID: RHEL-07-040540 Severity: CAT I Classification: Unclass Legacy IDs: V-72277; SV-86901

`rhel7stig::v204607`

The system must not not contain shosts.equiv files.

Note Vul ID: V-204607 Rule ID: SV-204607r505924_rule STIG ID: RHEL-07-040550 Severity: CAT I Classification: Unclass Legacy IDs: V-72279; SV-86903

`rhel7stig::v204608`

Systems using DNS resolution require at least two name servers.

Note Vul ID: V-204608 Rule ID: SV-204608r505924_rule STIG ID: RHEL-07-040600 Severity: CAT III Classification: Unclass Legacy IDs: V-72281; SV-86905

Parameters

The following parameters are available in the rhel7stig::v204608 class:

nameserver
purge_nameserver

`nameserver`

Data type: Optional[Array]

An optional array of nameservers to configure in '/etc/resolv.conf'

Default value: []

`purge_nameserver`

Data type: Optional[Array]

An optional array of nameservers to be removed. Entries are ignored if they are also present in 'nameserver'

Default value: []

`rhel7stig::v204609`

The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.

Note Vul ID: V-204609 Rule ID: SV-204609r505924_rule STIG ID: RHEL-07-040610 Severity: CAT II Classification: Unclass Legacy IDs: V-72283; SV-86907

`rhel7stig::v204610`

The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.

Note Vul ID: V-204610 Rule ID: SV-204610r505924_rule STIG ID: RHEL-07-040611 Severity: CAT II Classification: Unclass Legacy IDs: V-92251; SV-102353

`rhel7stig::v204611`

The system must use a reverse-path filter for IPv4 network traffic when possible by default.

Note Vul ID: V-204611 Rule ID: SV-204611r505924_rule STIG ID: RHEL-07-040612 Severity: CAT II Classification: Unclass Legacy IDs: V-92253; SV-102355

`rhel7stig::v204612`

The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.

Note Vul ID: V-204612 Rule ID: SV-204612r505924_rule STIG ID: RHEL-07-040620 Severity: CAT II Classification: Unclass Legacy IDs: V-72285; SV-86909

`rhel7stig::v204613`

The system must not respond to IPv4 ICMP echoes sent to a broadcast address.

Note Vul ID: V-204613 Rule ID: SV-204613r505924_rule STIG ID: RHEL-07-040630 Severity: CAT II Classification: Unclass Legacy IDs: V-72287; SV-86911

`rhel7stig::v204614`

The system must prevent IPv4 ICMP redirect messages from being accepted.

Note Vul ID: V-204614 Rule ID: SV-204614r505924_rule STIG ID: RHEL-07-040640 Severity: CAT II Classification: Unclass Legacy IDs: V-72289; SV-86913

`rhel7stig::v204615`

The system must ignore IPv4 ICMP redirect messages.

Note Vul ID: V-204615 Rule ID: SV-204615r505924_rule STIG ID: RHEL-07-040641 Severity: CAT II Classification: Unclass Legacy IDs: V-73175; SV-87827

`rhel7stig::v204616`

The system must not allow interfaces to perform IPv4 ICMP redirects by default.

Note Vul ID: V-204616 Rule ID: SV-204616r505924_rule STIG ID: RHEL-07-040650 Severity: CAT II Classification: Unclass Legacy IDs: V-72291; SV-86915

`rhel7stig::v204617`

The system must not send IPv4 ICMP redirects.

Note Vul ID: V-204617 Rule ID: SV-204617r505924_rule STIG ID: RHEL-07-040660 Severity: CAT II Classification: Unclass Legacy IDs: V-72293; SV-86917

`rhel7stig::v204618`

The system network interfaces must not be in promiscuous mode.

Note Vul ID: V-204618 Rule ID: SV-204618r505924_rule STIG ID: RHEL-07-040670 Severity: CAT II Classification: Unclass Legacy IDs: V-72295; SV-86919

`rhel7stig::v204619`

The system must prevent unrestricted mail relaying.

Note Vul ID: V-204619 Rule ID: SV-204619r505924_rule STIG ID: RHEL-07-040680 Severity: CAT II Classification: Unclass Legacy IDs: V-72297; SV-86921

`rhel7stig::v204620`

The system must not have a File Transfer Protocol (FTP) server package installed unless needed.

Note Vul ID: V-204620 Rule ID: SV-204620r505924_rule STIG ID: RHEL-07-040690 Severity: CAT I Classification: Unclass Legacy IDs: V-72299; SV-86923

Parameters

The following parameters are available in the rhel7stig::v204620 class:

authorized

`authorized`

Data type: Boolean

When true, the 'vsftpd' package will not be removed

Default value: false

`rhel7stig::v204621`

The system must not have the Trivial File Transfer Protocol (TFTP) server package installed.

Note Vul ID: V-204621 Rule ID: SV-204621r505924_rule STIG ID: RHEL-07-040700 Severity: CAT I Classification: Unclass Legacy IDs: V-72301; SV-86925

Parameters

The following parameters are available in the rhel7stig::v204621 class:

authorized

`authorized`

Data type: Boolean

When true, the 'tftp-server' package will not be removed

Default value: false

`rhel7stig::v204622`

Severity: CAT II Classification: Unclass Legacy IDs: V-72303; SV-86927

Note Vul ID: V-204622 Rule ID: SV-204622r505924_rule STIG ID: RHEL-07-040710

`rhel7stig::v204623`

If the TFTP server is required, the TFTP daemon must be configured to operate in secure mode.

Note Vul ID: V-204623 Rule ID: SV-204623r505924_rule STIG ID: RHEL-07-040720 Severity: CAT II Classification: Unclass Legacy IDs: V-72305; SV-86929

Parameters

The following parameters are available in the rhel7stig::v204623 class:

tftpdir

`tftpdir`

Data type: String

The root directory to be shared by the tftp server

Default value: '/var/lib/tftpboot'

`rhel7stig::v204624`

The system must not have a graphical display manager installed unless approved.

Note Vul ID: V-204624 Rule ID: SV-204624r505924_rule STIG ID: RHEL-07-040730 Severity: CAT II Classification: Unclass Legacy IDs: V-72307; SV-86931

Parameters

The following parameters are available in the rhel7stig::v204624 class:

authorized

`authorized`

Data type: Boolean

When true, the 'xorg-x11-server-common' will remain installed and the systemd default target will not be modifed.

Default value: false

`rhel7stig::v204625`

The system must not not be performing packet forwarding unless the system is a router.

Note Vul ID: V-204625 Rule ID: SV-204625r505924_rule STIG ID: RHEL-07-040740 Severity: CAT II Classification: Unclass Legacy IDs: V-72309; SV-86933

`rhel7stig::v204626`

The system must use RPCSEC_GSS with NFS.

Note Vul ID: V-204626 Rule ID: SV-204626r505924_rule STIG ID: RHEL-07-040750 Severity: CAT II Classification: Unclass Legacy IDs: V-72311; SV-86935

`rhel7stig::v204627`

The system must not use the default SNMP community strings.

Note Vul ID: V-204627 Rule ID: SV-204627r505924_rule STIG ID: RHEL-07-040800 Severity: CAT I Classification: Unclass Legacy IDs: V-72313; SV-86937

Parameters

The following parameters are available in the rhel7stig::v204627 class:

public
private

`public`

Data type: String

The name that should be used to replace the default "public" SNMP community string in '/etc/snmp/snmpd.conf'.

Default value: 'readonly'

`private`

Data type: String

The name that should be used to replace the default "private" SNMP community string in '/etc/snmp/snmpd.conf'.

Default value: 'readwrite'

`rhel7stig::v204628`

The system must grant or deny system access to specific hosts and services.

Note Vul ID: V-204628 Rule ID: SV-204628r505924_rule STIG ID: RHEL-07-040810 Severity: CAT II Classification: Unclass Legacy IDs: V-72315; SV-86939

`rhel7stig::v204629`

The system must not have unauthorized IP tunnels configured.

Note Vul ID: V-204629 Rule ID: SV-204629r505924_rule STIG ID: RHEL-07-040820 Severity: CAT II Classification: Unclass Legacy IDs: V-72317; SV-86941

`rhel7stig::v204630`

The system must not forward IPv6 source-routed packets.

Note Vul ID: V-204630 Rule ID: SV-204630r505924_rule STIG ID: RHEL-07-040830 Severity: CAT II Classification: Unclass Legacy IDs: V-72319; SV-86943

`rhel7stig::v204631`

The system must have the required packages for multifactor authentication installed.

Note Vul ID: V-204631 Rule ID: SV-204631r505924_rule STIG ID: RHEL-07-041001 Severity: CAT II Classification: Unclass Legacy IDs: V-72417; SV-87041

`rhel7stig::v204632`

The system must implement multifactor authentication for access to privileged accounts via PAM.

Note Vul ID: V-204632 Rule ID: SV-204632r505924_rule STIG ID: RHEL-07-041002 Severity: CAT II Classification: Unclass Legacy IDs: V-72427; SV-87051

`rhel7stig::v204633`

The system must implement certificate status checking for PKI authentication.

Note Vul ID: V-204633 Rule ID: SV-204633r505924_rule STIG ID: RHEL-07-041003 Severity: CAT II Classification: Unclass Legacy IDs: V-72433; SV-87057

`rhel7stig::v204634`

The system must be configured so that all wireless network adapters are disabled.

Note Vul ID: V-204634 Rule ID: SV-204634r505924_rule STIG ID: RHEL-07-041010 Severity: CAT II Classification: Unclass Legacy IDs: V-73177; SV-87829

`rhel7stig::v214799`

The cryptographic hash of system files and commands must match vendor values.

Note Vul ID: V-214799 Rule ID: SV-214799r505924_rule STIG ID: RHEL-07-010020 Severity: CAT I Classification: Unclass Legacy IDs: V-71855; SV-86479

`rhel7stig::v214800`

Install and enable the latest McAfee ENSLTP package.

Note Vul ID: V-214800 Rule ID: SV-214800r505924_rule STIG ID: RHEL-07-020019 Severity: CAT II Classification: Unclass Legacy IDs: V-92255; SV-102357

`rhel7stig::v214801`

The system must use a virus scan program.

Note Vul ID: V-214801 Rule ID: SV-214801r505924_rule STIG ID: RHEL-07-032000 Severity: CAT I Classification: Unclass Legacy IDs: V-72213; SV-86837

`rhel7stig::v214937`

The system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.

Note Vul ID: V-214937 Rule ID: SV-214937r505924_rule STIG ID: RHEL-07-010062 Severity: CAT II Classification: Unclass Legacy IDs: V-78995; SV-93701

`rhel7stig::v219059`

Severity: CAT II Classification: Unclass Legacy IDs: V-100023; SV-109127

Note Vul ID: V-219059 Rule ID: SV-219059r505924_rule STIG ID: RHEL-07-020111

`rhel7stig::v228563`

all world-writable directories are owned by root, sys, bin, or an application group.

Note Vul ID: V-228563 Rule ID: SV-228563r505924_rule STIG ID: RHEL-07-021031 Severity: CAT II Classification: Unclass Legacy IDs:

`rhel7stig::v228564`

The system must protect audit information from unauthorized read, modification, or deletion.

Note Vul ID: V-228564 Rule ID: SV-228564r505924_rule STIG ID: RHEL-07-910055 Severity: CAT II Classification: Unclass Legacy IDs: ;

`rhel7stig::v233307`

The SSH daemon must prevent remote hosts from connecting to the proxy display.

Note Vul ID: V-233307 Rule ID: SV-233307r603301_rule STIG ID: RHEL-07-040711 Severity: CAT II Classification: Unclass

`rhel7stig::v237633`

Restrict privilege elevation to authorized personnel

Note Vul ID: V-237633 Rule ID: SV-237633r646850_rule STIG ID: RHEL-07-010341 Severity: CAT II Classification: Unclass

`rhel7stig::v237634`

'sudo' privilege escalation should require the user's own password

Note Vul ID: V-237634 Rule ID: SV-237634r646853_rule STIG ID: RHEL-07-010342 Severity: CAT II Classification: Unclass

`rhel7stig::v237635`

Require re-authentication when using the "sudo" command.

Note Vul ID: V-237635 Rule ID: SV-237635r646856_rule STIG ID: RHEL-07-010343 Severity: CAT II Classification: Unclass

Parameters

The following parameters are available in the rhel7stig::v237635 class:

timestamp_timeout

`timestamp_timeout`

Data type: Integer[1, 99]

Time in minutes before sudo will require re-authentication

Default value: 5

`rhel7stig::v244557`

RHEL 7.2 and later using BIOS require a unique name for the grub superusers account

Note Vul ID: V-244557 Rule ID: SV-244557r744063_rule STIG ID: RHEL-07-010483 Severity: CAT II Classification: Unclass

Examples

include rhel7stig::v244557

Parameters

The following parameters are available in the rhel7stig::v244557 class:

grub_superuser

`grub_superuser`

Data type: String

The user name to be set as the GRUB superuser

Default value: 'admin'

`rhel7stig::v244558`

RHEL 7.2 and later using UEFI require a unique name for the grub superusers account

Note Vul ID: V-244558 Rule ID: SV-244558r744066_rule STIG ID: RHEL-07-010492 Severity: CAT II Classification: Unclass

Examples

include rhel7stig::v244558

Parameters

The following parameters are available in the rhel7stig::v244558 class:

grub_superuser

`grub_superuser`

Data type: String

The user name to be set as the GRUB superuser

Default value: 'admin'

`rhel7stig::v250312`

The system must confine SELinux users to least privilege roles.

Note Vul ID: V-250312 Rule ID: SV-250312r792843_rule STIG ID: RHEL-07-020021 Severity: CAT II Classification: Unclass

`rhel7stig::v250313`

The system must not allow privileged accounts to utilize SSH.

Note Vul ID: V-250313 Rule ID: SV-250313r792846_rule STIG ID: RHEL-07-020022 #Severity: CAT II Classification: Unclass

param

ssh_sysadm_login Control the SELinux boolean of the same name.

Examples

Hiera data example to ensure privileged accounts cannot utilize SSH:

rhel7stig::v250313::ssh_admin_login: false

`rhel7stig::v250314`

The system must elevate the SELinux context when an administrator calls the sudo command.

Note Vul ID: V-250314 Rule ID: SV-250314r792849_rule STIG ID: RHEL-07-020023 Severity: CAT II Classification: Unclass

`rhel7stig::v251702`

The system must not have accounts configured with blank or null passwords.

Note Vul ID: V-251702 Rule ID: SV-251702r809220_rule STIG ID: RHEL-07-010291 Severity: CAT II Classification: Unclass

`rhel7stig::v251703`

The system must specify the default "include" directory for the /etc/sudoers file.

Note Vul ID: V-251703 Rule ID: SV-251703r809566_rule STIG ID: RHEL-07-010339 Severity: CAT II Classification: Unclass

`rhel7stig::v251704`

The system must not be configured to bypass password requirements for privilege escalation.

Note Vul ID: V-251704 Rule ID: SV-251704r809568_rule STIG ID: RHEL-07-010344 Severity: CAT II Classification: Unclass

`rhel7stig::v251705`

The system must use a file integrity tool to verify correct operation of all security functions.

Note Vul ID: V-251705 Rule ID: SV-251705r809229_rule STIG ID: RHEL-07-020029 Severity: CAT II Classification: Unclass

Defined types

`rhel7stig::audisp_remote_setting`

Manage settings in '/etc/audisp/audisp-remote.conf'

Examples

rhel7stig::audisp_remote_setting { 'namevar':
  setting => 'active',
  value   => 'yes',
}

Parameters

The following parameters are available in the rhel7stig::audisp_remote_setting defined type:

setting
value
ensure

`setting`

Data type: String

The name of the setting to manage.

`value`

Data type: String

The value of the managed setting.

`ensure`

Data type: Enum['present', 'absent']

Control whether the setting is added or removed.

Default value: 'present'

`rhel7stig::audispd_setting`

Manage settings in '/etc/audisp/audispd.conf'

Examples

rhel7stig::audispd_setting { 'namevar':
  setting => 'active',
  value   => 'yes',
}

Parameters

The following parameters are available in the rhel7stig::audispd_setting defined type:

setting
value
ensure

`setting`

Data type: String

The name of the setting to manage.

`value`

Data type: String

The value of the managed setting.

`ensure`

Data type: Enum['present', 'absent']

Control whether the setting is added or removed.

Default value: 'present'

`rhel7stig::audit_rule`

Defined type for adding RedHat STIG audit rules

Examples

rhel7stig::audit_rule { 'rule_xyz':
  rule => '-a always,exit -F path=/usr/local/bin/myapp -F auid>=1000 -F auid!=unset -k myapp',
}

Parameters

The following parameters are available in the rhel7stig::audit_rule defined type:

rule
ensure

`rule`

Data type: String

The full text of the audit rule to be added to file: '/etc/audit/rules.d/20-puppet-stig.rules'.

`ensure`

Data type: Enum['present','absent']

Control whether the specified rule will be added or removed.

Default value: 'present'

`rhel7stig::auditd_setting`

Manage individual settings in '/etc/audit/auditd.conf'

Parameters

The following parameters are available in the rhel7stig::auditd_setting defined type:

setting
value

`setting`

Data type: String

The name of the setting to manage.

`value`

Data type: String

The value of the setting being managed.

`rhel7stig::dconf_lock`

Manage system wide gnome behavior through dconf setting locks

Parameters

The following parameters are available in the rhel7stig::dconf_lock defined type:

ensure
profile
file
setting

`ensure`

Data type: Enum['present', 'absent']

Control whether the the setting will be added (locked) or removed (unlocked)

Default value: 'present'

`profile`

Data type: String

The name of a defined 'system-db' dconf profile that corresponds to a directory under '/etc/dconf/db', where system-level keyfiles for the profile are stored.

`file`

Data type: String

The target file for the assigned setting

`setting`

Data type: String

The name of the setting to manage

`rhel7stig::dconf_setting`

Manage system wide gnome behavior through dconf keyfile settings

Parameters

The following parameters are available in the rhel7stig::dconf_setting defined type:

ensure
profile
file
section
setting
value

`ensure`

Data type: Enum['present', 'absent']

Control whether the the setting will be added or removed

Default value: 'present'

`profile`

Data type: String

The name of a defined 'system-db' dconf profile that corresponds to a directory under '/etc/dconf/db', where system-level keyfiles for the profile are stored.

`file`

Data type: String

The target file for the assigned setting

`section`

Data type: String

The keyfile section where the setting is defined

`setting`

Data type: String

The name of the setting to manage

`value`

Data type: String

The value to assign to a setting

`rhel7stig::resolv_conf`

A defined type to manage DNS client configuration in '/etc/resolv.conf'

Note Using this defined type will manage the '/etc/resolv.conf' file and also make it immutable so it will not be updated by other utilities such as NetworkManager.

Examples

rhel7stig::resolv_conf { 'DNS primary':
  keyword => 'nameserver',
  value   => '10.0.0.1',
}

Parameters

The following parameters are available in the rhel7stig::resolv_conf defined type:

keyword
value
ensure

`keyword`

Data type: String

The keyword to be used for the managed entry

`value`

Data type: String

The value assigned to the keyword for the managed entry

`ensure`

Data type: Enum['present', 'absent']

Whether the keyword/value combination will be added or removed from '/etc/resolv.conf'

Default value: 'present'

`rhel7stig::sshd_rule`

Defined type for managing RedHat STIG sshd configuration

Examples

rhel7stig::sshd_rule { 'some_name':
  keyword  => 'UsePAM',
  argument => 'yes',
}

Parameters

The following parameters are available in the rhel7stig::sshd_rule defined type:

key
value
ensure

`key`

Data type: String

The "sshd_config" keyword being managed

`value`

Data type: String

The "sshd_config" argument to the given keyword

`ensure`

Data type: Enum['present', 'absent']

Default value: 'present'

`rhel7stig::sysctl_rule`

Defined type for managing RedHat STIG sysctl configuration

Examples

rhel7stig::sysctl_rule { 'some_name':
  key   => 'kernel.randomize_va_space',
  value => '2',
}

Parameters

The following parameters are available in the rhel7stig::sysctl_rule defined type:

key
value

`key`

Data type: String

The kernel parameter to manage

`value`

Data type: String

The value to assign to the kernel parameter key

Table of Contents
Description
Setup
- What rhel7stig affects
- Beginning with rhel7stig
Usage
Limitations
Table of Contents
- Classes
- Defined types
Classes
- rhel7stig
- rhel7stig::v204392
- rhel7stig::v204393
- rhel7stig::v204394
- rhel7stig::v204395
- rhel7stig::v204396
- rhel7stig::v204397
- rhel7stig::v204398
- rhel7stig::v204399
- rhel7stig::v204400
- rhel7stig::v204402
- rhel7stig::v204403
- rhel7stig::v204404
- rhel7stig::v204405
- rhel7stig::v204406
- rhel7stig::v204407
- rhel7stig::v204408
- rhel7stig::v204409
- rhel7stig::v204410
- rhel7stig::v204411
- rhel7stig::v204412
- rhel7stig::v204413
- rhel7stig::v204414
- rhel7stig::v204415
- rhel7stig::v204416
- rhel7stig::v204417
- rhel7stig::v204418
- rhel7stig::v204419
- rhel7stig::v204420
- rhel7stig::v204421
- rhel7stig::v204422
- rhel7stig::v204423
- rhel7stig::v204424
- rhel7stig::v204425
- rhel7stig::v204426
- rhel7stig::v204427
- rhel7stig::v204428
- rhel7stig::v204429
- rhel7stig::v204430
- rhel7stig::v204431
- rhel7stig::v204432
- rhel7stig::v204433
- rhel7stig::v204434
- rhel7stig::v204435
- rhel7stig::v204436
- rhel7stig::v204437
- rhel7stig::v204438
- rhel7stig::v204439
- rhel7stig::v204440
- rhel7stig::v204441
- rhel7stig::v204442
- rhel7stig::v204443
- rhel7stig::v204444
- rhel7stig::v204445
- rhel7stig::v204446
- rhel7stig::v204447
- rhel7stig::v204448
- rhel7stig::v204449
- rhel7stig::v204450
- rhel7stig::v204451
- rhel7stig::v204452
- rhel7stig::v204455
- rhel7stig::v204456
- rhel7stig::v204457
- rhel7stig::v204458
- rhel7stig::v204459
- rhel7stig::v204460
- rhel7stig::v204461
- rhel7stig::v204462
- rhel7stig::v204463
- rhel7stig::v204464
- rhel7stig::v204466
- rhel7stig::v204467
- rhel7stig::v204468
- rhel7stig::v204469
- rhel7stig::v204470
- rhel7stig::v204471
- rhel7stig::v204472
- rhel7stig::v204473
- rhel7stig::v204474
- rhel7stig::v204475
- rhel7stig::v204476
- rhel7stig::v204477
- rhel7stig::v204478
- rhel7stig::v204479
- rhel7stig::v204480
- rhel7stig::v204481
- rhel7stig::v204482
- rhel7stig::v204483
- rhel7stig::v204486
- rhel7stig::v204487
- rhel7stig::v204488
- rhel7stig::v204489
- rhel7stig::v204490
- rhel7stig::v204491
- rhel7stig::v204492
- rhel7stig::v204493
- rhel7stig::v204494
- rhel7stig::v204495
- rhel7stig::v204496
- rhel7stig::v204498
- rhel7stig::v204499
- rhel7stig::v204500
- rhel7stig::v204501
- rhel7stig::v204502
- rhel7stig::v204503
- rhel7stig::v204504
- rhel7stig::v204506
- rhel7stig::v204507
- rhel7stig::v204508
- rhel7stig::v204509
- rhel7stig::v204510
- rhel7stig::v204511
- rhel7stig::v204512
- rhel7stig::v204513
- rhel7stig::v204514
- rhel7stig::v204515
- rhel7stig::v204516
- rhel7stig::v204517
- rhel7stig::v204518
- rhel7stig::v204519
- rhel7stig::v204520
- rhel7stig::v204521
- rhel7stig::v204522
- rhel7stig::v204523
- rhel7stig::v204524
- rhel7stig::v204525
- rhel7stig::v204526
- rhel7stig::v204527
- rhel7stig::v204528
- rhel7stig::v204529
- rhel7stig::v204530
- rhel7stig::v204531
- rhel7stig::v204532
- rhel7stig::v204533
- rhel7stig::v204534
- rhel7stig::v204535
- rhel7stig::v204536
- rhel7stig::v204537
- rhel7stig::v204538
- rhel7stig::v204539
- rhel7stig::v204540
- rhel7stig::v204541
- rhel7stig::v204542
- rhel7stig::v204543
- rhel7stig::v204544
- rhel7stig::v204545
- rhel7stig::v204546
- rhel7stig::v204547
- rhel7stig::v204548
- rhel7stig::v204549
- rhel7stig::v204550
- rhel7stig::v204551
- rhel7stig::v204552
- rhel7stig::v204553
- rhel7stig::v204554
- rhel7stig::v204555
- rhel7stig::v204556
- rhel7stig::v204557
- rhel7stig::v204558
- rhel7stig::v204559
- rhel7stig::v204560
- rhel7stig::v204561
- rhel7stig::v204562
- rhel7stig::v204563
- rhel7stig::v204564
- rhel7stig::v204565
- rhel7stig::v204566
- rhel7stig::v204567
- rhel7stig::v204568
- rhel7stig::v204569
- rhel7stig::v204570
- rhel7stig::v204571
- rhel7stig::v204572
- rhel7stig::v204573
- rhel7stig::v204574
- rhel7stig::v204575
- rhel7stig::v204576
- rhel7stig::v204577
- rhel7stig::v204578
- rhel7stig::v204579
- rhel7stig::v204580
- rhel7stig::v204581
- rhel7stig::v204582
- rhel7stig::v204583
- rhel7stig::v204584
- rhel7stig::v204585
- rhel7stig::v204586
- rhel7stig::v204587
- rhel7stig::v204588
- rhel7stig::v204589
- rhel7stig::v204590
- rhel7stig::v204591
- rhel7stig::v204592
- rhel7stig::v204593
- rhel7stig::v204594
- rhel7stig::v204595
- rhel7stig::v204596
- rhel7stig::v204597
- rhel7stig::v204598
- rhel7stig::v204599
- rhel7stig::v204600
- rhel7stig::v204601
- rhel7stig::v204602
- rhel7stig::v204603
- rhel7stig::v204604
- rhel7stig::v204605
- rhel7stig::v204606
- rhel7stig::v204607
- rhel7stig::v204608
- rhel7stig::v204609
- rhel7stig::v204610
- rhel7stig::v204611
- rhel7stig::v204612
- rhel7stig::v204613
- rhel7stig::v204614
- rhel7stig::v204615
- rhel7stig::v204616
- rhel7stig::v204617
- rhel7stig::v204618
- rhel7stig::v204619
- rhel7stig::v204620
- rhel7stig::v204621
- rhel7stig::v204622
- rhel7stig::v204623
- rhel7stig::v204624
- rhel7stig::v204625
- rhel7stig::v204626
- rhel7stig::v204627
- rhel7stig::v204628
- rhel7stig::v204629
- rhel7stig::v204630
- rhel7stig::v204631
- rhel7stig::v204632
- rhel7stig::v204633
- rhel7stig::v204634
- rhel7stig::v214799
- rhel7stig::v214800
- rhel7stig::v214801
- rhel7stig::v214937
- rhel7stig::v219059
- rhel7stig::v228563
- rhel7stig::v228564
- rhel7stig::v233307
- rhel7stig::v237633
- rhel7stig::v237634
- rhel7stig::v237635
- rhel7stig::v244557
- rhel7stig::v244558
- rhel7stig::v250312
- rhel7stig::v250313
- rhel7stig::v250313::ssh_admin_login: false
- rhel7stig::v250314
- rhel7stig::v251702
- rhel7stig::v251703
- rhel7stig::v251704
- rhel7stig::v251705
Defined types
- rhel7stig::audisp_remote_setting
- rhel7stig::audispd_setting
- rhel7stig::audit_rule
- rhel7stig::auditd_setting
- rhel7stig::dconf_lock
- rhel7stig::dconf_setting
- rhel7stig::resolv_conf
- rhel7stig::sshd_rule
- rhel7stig::sysctl_rule
Changelog

Table of Contents​

Description​

Setup​

What rhel7stig affects​

Beginning with rhel7stig​

Usage​

Limitations​

Table of Contents​

Classes​

Defined types​

Classes​

rhel7stig​

Examples​

Assigning the module will enable all controls by default.​

Disable vulnerability IDs from hiera​

Parameters​

vul_id​

exclude​

enforce​

rhel7stig::v204392​

rhel7stig::v204393​

rhel7stig::v204394​

Parameters​

banner​

rhel7stig::v204395​

rhel7stig::v204396​

rhel7stig::v204397​

rhel7stig::v204398​

Parameters​

delay​

rhel7stig::v204399​

rhel7stig::v204400​

rhel7stig::v204402​

rhel7stig::v204403​

rhel7stig::v204404​

Examples​

Parameters​

delay​

rhel7stig::v204405​

rhel7stig::v204406​

rhel7stig::v204407​

rhel7stig::v204408​

rhel7stig::v204409​

rhel7stig::v204410​

rhel7stig::v204411​

Parameters​

difok​

rhel7stig::v204412​

Parameters​

minclass​

rhel7stig::v204413​

Parameters​

maxrepeat​

rhel7stig::v204414​

Parameters​

maxclassrepeat​

rhel7stig::v204415​

rhel7stig::v204416​

rhel7stig::v204417​

rhel7stig::v204418​

Parameters​

pass_min_days​

rhel7stig::v204419​

rhel7stig::v204420​

Parameters​

pass_max_days​

rhel7stig::v204421​

rhel7stig::v204422​

rhel7stig::v204423​

Parameters​

minlen​

rhel7stig::v204424​

rhel7stig::v204425​

rhel7stig::v204426​

rhel7stig::v204427​

rhel7stig::v204428​

rhel7stig::v204429​

rhel7stig::v204430​

for privilege escalation.

Examples​

Table of Contents

Description

Setup

What rhel7stig affects

Beginning with rhel7stig

Usage

Limitations

Table of Contents

Classes

Defined types

Classes

`rhel7stig`

Examples

Assigning the module will enable all controls by default.

Disable vulnerability IDs from hiera

Parameters

`vul_id`

`exclude`

`enforce`

`rhel7stig::v204392`

`rhel7stig::v204393`

`rhel7stig::v204394`

Parameters

`banner`

`rhel7stig::v204395`

`rhel7stig::v204396`

`rhel7stig::v204397`

`rhel7stig::v204398`

Parameters

`delay`

`rhel7stig::v204399`

`rhel7stig::v204400`

`rhel7stig::v204402`

`rhel7stig::v204403`

`rhel7stig::v204404`

Examples

Parameters

`delay`

`rhel7stig::v204405`

`rhel7stig::v204406`

`rhel7stig::v204407`

`rhel7stig::v204408`

`rhel7stig::v204409`

`rhel7stig::v204410`

`rhel7stig::v204411`

Parameters

`difok`

`rhel7stig::v204412`

Parameters

`minclass`

`rhel7stig::v204413`

Parameters

`maxrepeat`

`rhel7stig::v204414`

Parameters

`maxclassrepeat`

`rhel7stig::v204415`

`rhel7stig::v204416`

`rhel7stig::v204417`

`rhel7stig::v204418`

Parameters

`pass_min_days`

`rhel7stig::v204419`

`rhel7stig::v204420`

Parameters

`pass_max_days`

`rhel7stig::v204421`

`rhel7stig::v204422`

`rhel7stig::v204423`

Parameters

`minlen`

`rhel7stig::v204424`

`rhel7stig::v204425`

`rhel7stig::v204426`

`rhel7stig::v204427`

`rhel7stig::v204428`

`rhel7stig::v204429`

`rhel7stig::v204430`

Examples

`rhel7stig::v204431`