Hi all, Sorry for dropping off the radar on this topic for a bit. Got caught up in other things at work. Anyway, I've attached the output of my little comparison program where I compared the content from the RHEL7.3 stig-rhel7-server-upstream content to the RHEL7.5 stig-rhel7-disa content. My program is specifically looking for cases where the rule state (enabled/disabled/notpresent) differs, or it can figure out that a variable used for the rule has changed (example - unlocktime). Found some surprising results as I mentioned before, and have finally gotten back around and make the results available.
I've also gotten initial permission to make that program available to the group. I need to clean it up a bit, as it is some of the ugliest python code I've ever had the audacity to make public. A case of a tool starting out to do one things and winding up doing something different. Once the rougher edges are off and final approval is given I'll post it. The initial purpose was to give me a high level comparison between different releases to see what may have changed in the content (example - upgrading from RHEL7.3 to RHEL7.5). Things got distinctly messier when I realized the name of the profiles changed, and even more so when I added code to accept a tailoring file as an input. Here are a couple of surprising things I've noticed is that the following rules are enabled in the 7.3 content and disabled in the 7.5 content: - Direct root Logins Not Allowed - Ensure Red Hat GPG Key Installed - Make the auditd Configuration Immutable - Ensure SELinux Not Disabled in /etc/default/grub - Restrict Virtual Console Root Logins I don't see several of these in the RHEL7 V1R4 content from DISA either, so that may account for the missing entries - especially if the Red Hat content is supposed to track to the official STIG. I do confess to being a bit surprised by some of the missing items. Anyway, attached is the output of my little checker, comparing the RHEL 7.3 'stig-rhel7-server-upstream' content with the RHEL7.5 'stig-rhel7-disa' content. If nothing else it may be a useful sanity checker for comparing versions. Sincerely, Rob Sanders Robert Sanders Sr. Secure Systems Engineer FORCEPOINT T +1.703.896.4762 F +1.703.318.5041 www.forcepoint.com FORWARD WITHOUT FEAR
Comparing (/home/rob/rh73_xccdf.xml,stig-rhel7-server-upstream) ,(/home/rob/rh75_xccdf.xml,stig-rhel7-disa) Found a total of 314 active rules Assign Expiration Date to Temporary Accounts /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure Home Directories are Created for New Users /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure the Logon Failure Delay is Set Correctly in login.defs /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['var_accounts_fail_delay=4'] Verify All Account Password Hashes are Shadowed /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Set Password to Maximum of Consecutive Repeating Characters from Same Character Class /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['var_password_pam_maxclassrepeat=4'] Set Existing Passwords Maximum Age /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Set Existing Passwords Minimum Age /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure the root Account for Failed Password Attempts /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Set Lockout Time For Failed Password Attempts /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['var_accounts_passwords_pam_faillock_unlock_time=604800'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['var_accounts_passwords_pam_faillock_unlock_time=never'] Set Interactive Session Timeout /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['var_accounts_tmout=10_min'] Ensure the Default Umask is Set Correctly in login.defs /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['var_accounts_user_umask=077'] Ensure the Default Umask is Set Correctly For Interactive Users /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] User Initialization Files Must Be Group-Owned By The Primary User /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] User Initialization Files Must Not Run World-Writable Programs /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] User Initialization Files Must Be Owned By the Primary User /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure that Users Path Contains Only Local Directories /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] All Interactive Users Must Have A Home Directory Defined /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] All Interactive Users Home Directories Must Exist /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] All User Files and Directories In The Home Directory Must Be Owned By The Primary User /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Build and Test AIDE Database /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Configure Notification of Post-AIDE Scan Details /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure AIDE to Use FIPS 140-2 for Validating Hashes /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure AIDE to Verify Access Control Lists (ACLs) /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure AIDE to Verify Extended Attributes /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Any Attempts to Run chcon /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Any Attempts to Run restorecon /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Any Attempts to Run semanage /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Any Attempts to Run setsebool /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects File Deletion Events by User /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure auditd Collects File Deletion Events by User - rename /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects File Deletion Events by User - renameat /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects File Deletion Events by User - rmdir /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects File Deletion Events by User - unlink /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects File Deletion Events by User - unlinkat /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Make the auditd Configuration Immutable /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure auditd Collects Information on Kernel Module Loading and Unloading /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure auditd Collects Information on Kernel Module Loading and Unloading - delete_module /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on Kernel Module Loading and Unloading - init_module /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on Kernel Module Loading and Unloading - insmod /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on Kernel Module Loading and Unloading - rmmod /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Attempts to Alter Logon and Logout Events /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Record Attempts to Alter Logon and Logout Events - faillock /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Attempts to Alter Logon and Logout Events - lastlog /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Attempts to Alter Logon and Logout Events - tallylog /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Events that Modify the System's Mandatory Access Controls /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Record Events that Modify the System's Network Environment /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure auditd Collects Information on the Use of Privileged Commands - chage /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - chsh /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - crontab /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - newgrp /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - passwd /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - postdrop /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - postqueue /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - su /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - sudo /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - umount /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure auditd Collects Information on the Use of Privileged Commands - userhelper /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Attempts to Alter Process and Session Initiation Information /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Shutdown System When Auditing Failures Occur /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record attempts to alter time through adjtimex /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Record Attempts to Alter Time Through clock_settime /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Record attempts to alter time through settimeofday /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Record Attempts to Alter Time Through stime /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Record Attempts to Alter the localtime File /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Record Unauthorized Access Attempts to Files (unsuccessful) - creat /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Unauthorized Access Attempts to Files (unsuccessful) - open /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Unauthorized Access Attempts to Files (unsuccessful) - openat /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Unauthorized Access Attempts to Files (unsuccessful) - truncate /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Events that Modify User/Group Information /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Record Events that Modify User/Group Information - /etc/group /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Events that Modify User/Group Information - /etc/gshadow /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Events that Modify User/Group Information - /etc/security/opasswd /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Events that Modify User/Group Information - /etc/passwd /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Record Events that Modify User/Group Information - /etc/shadow /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure audispd Plugin To Send Logs To Remote Server /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure audispd's Plugin disk_full_action When Disk Is Full /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Encrypt Audit Records Sent With audispd Plugin /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure audispd's Plugin network_failure_action On Network Failure /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure auditd to use audispd's syslog plugin /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Configure auditd admin_space_left Action on Low Disk Space /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['var_auditd_admin_space_left_action=single'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Configure auditd flush priority /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['var_auditd_flush=data'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Configure auditd Max Log File Size /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['var_auditd_max_log_file=6'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Configure auditd max_log_file_action Upon Reaching Maximum Log Size /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['var_auditd_max_log_file_action=rotate'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Configure auditd Number of Logs Retained /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['var_auditd_num_logs=5'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Configure auditd space_left on Low Disk Space /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['var_auditd_space_left=100'] Modify the System Login Banner /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['login_banner_text=dod_default'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['login_banner_text=dod_banners'] Assign Password to Prevent Changes to Boot Firmware Configuration /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable Booting from USB Devices in Boot Firmware /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Enable NX or XD Support in the BIOS /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Enable Auditing for Processes Which Start Prior to the Audit Daemon /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Boat Loader Is Not Installed On Removeable Media /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Disable Kernel Support for USB via Bootloader Configuration /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Set the UEFI Boot Loader Password /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure Time Service Maxpoll Interval /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['var_time_service_set_maxpoll=system_default'] Specify Additional Remote NTP Servers /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['var_multiple_time_servers=rhel'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Specify a Remote NTP Server /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['var_multiple_time_servers=rhel'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure YUM Removes Previous Package Versions /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure the Firewalld Ports /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['firewalld_sshd_zone=public'] Configure firewalld To Rate Limit Connections /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Enable GNOME3 Login Warning Banner /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Enable the GNOME3 Login Smartcard Authentication /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Set the GNOME3 Login Warning Banner Text /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Enable GNOME3 Screensaver Idle Activation /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Set GNOME3 Screensaver Inactivity Timeout /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['inactivity_timeout_value=15_minutes'] Set GNOME3 Screensaver Lock Delay After Activation Period /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Enable GNOME3 Screensaver Lock After Idle Period /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['var_screensaver_lock_delay=5_seconds'] Ensure Users Cannot Change GNOME3 Screensaver Settings /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure Users Cannot Change GNOME3 Session Idle Settings /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure All World-Writable Directories Are Owned by a System Account /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Verify that Interactive Boot is Disabled /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable Prelinking /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure SELinux Not Disabled in /etc/default/grub /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Enable Encrypted X11 Fordwarding /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> N/A Encrypt Partitions /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure gpgcheck Enabled for Local Packages /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure gpgcheck Enabled For All Yum Package Repositories /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure gpgcheck Enabled for Repository Metadata /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure Red Hat GPG Key Installed /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Verify Group Who Owns /etc/cron.allow file /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] All Interactive User Home Directories Must Be Group-Owned By The Primary User /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Verify User Who Owns /etc/cron.allow file /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] All Interactive User Home Directories Must Be Owned By The Primary User /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure All User Initialization Files Have Mode 0740 Or Less Permissive /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] All Interactive User Home Directories Must Have mode 0750 Or Less Permissive /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] System Audit Logs Must Have Mode 0640 or Less Permissive /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Create Warning Banners for All FTP Users /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable GDM Automatic Login /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Disable GDM Guest Login /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Enable FIPS Mode in GRUB2 /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Install PAE Kernel on Supported 32-bit x86 Systems /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Install Virus Scanning Software /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Install Intrusion Detection Software /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Install McAfee Virus Scanning Software /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Install Smart Card Packages For Multifactor Authentication /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] The Installed Operating System Is Vendor Supported and Certified /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Disable Bluetooth Kernel Modules /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable DCCP Support /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure LDAP Client to Use TLS For All Transactions /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Virus Scanning Software Definitions Are Updated /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Add nosuid Option to /home /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Mount Remote Filesystems with noexec /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Mount Remote Filesystems with nosuid /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Add nosuid Option to Removable Media Partitions /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['var_removable_partition=dev_cdrom'] Configure Multiple DNS Servers in /etc/resolv.conf /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Disable Client Dynamic DNS Updates /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure System is Not Acting as a Network Sniffer /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Direct root Logins Not Allowed /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Remove Host-Based Authentication Files /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Remove Rsh Trust Files /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Remove User Host-Based Authentication Files /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Install the OpenSSH Server Package /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Uninstall rsh Package /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Uninstall talk-server Package /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Uninstall talk Package /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Remove telnet Clients /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Uninstall vsftpd Package /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Uninstall xinetd Package /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Remove NIS Client /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Prevent Unrestricted Mail Relaying /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Restrict Serial Port Root Logins /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Verify and Correct Ownership with RPM /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure cron Is Logging To Rsyslog /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure Logs Sent To Remote Host /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['rsyslog_remote_loghost_address=logcollector'] Restrict Virtual Console Root Logins /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Ensure No Daemons are Unconfined by SELinux /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Map System Users To The Appropriate SELinux Role /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Disable Bluetooth Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Enable the NTP Daemon /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Enable cron Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable debug-shell SystemD Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable rexec Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable rlogin Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable rsh Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Enable the OpenSSH Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Disable telnet Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable xinetd Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable ypbind Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable Quagga Service /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Enable Smart Card Login /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure Smart Card Certificate Status Checking /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Disable SSH Support for Rhosts RSA Authentication /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Disable SSH Support for User Known Hosts /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Enable Encrypted X11 Forwarding /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Print Last Log /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Set SSH Idle Timeout Interval /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['sshd_idle_timeout_value=15_minutes'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['sshd_idle_timeout_value=10_minutes'] Use Only FIPS 140-2 Validated MACs /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com'] Configure PAM in SSSD Services /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure SSSD LDAP Backend Client CA Certificate /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure SSSD LDAP Backend Client CA Certificate Location /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> N/A /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Disable Core Dumps for SUID programs /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Restrict Access to Kernel Message Buffer /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Enable ExecShield /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['sysctl_net_ipv4_conf_all_accept_source_route_value=disabled'] Disable Kernel Parameter for IP Forwarding /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Configure Kernel Parameter to Use TCP Syncookies /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['sysctl_net_ipv4_tcp_syncookies_value=enabled'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled ['sysctl_net_ipv6_conf_all_accept_source_route_value=disabled'] Ensure tftp Daemon Uses Secure Mode /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> disabled /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> enabled [] Set Daemon Umask /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled ['var_umask_for_daemons=022'] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Use Kerberos Security on All Exports /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable WiFi or Bluetooth in BIOS /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled Disable X Windows Startup By Setting Default Target /home/rob/rh73_xccdf.xml(stig-rhel7-server-upstream) -> enabled [] /home/rob/rh75_xccdf.xml(stig-rhel7-disa) -> disabled
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list