STIG customer responsibilities

The following STIG items are the customer's responsibility to implement according to their requirements and environment.

V-204510

Finding ID: For more information, see V-204510.
Version: RHEL-07-041003
Rule ID: xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
Title: The Red Hat® Enterprise Linux® operating system must encrypt the transfer of audit records that are off-loaded onto a different system or media from the system that is audited.
Justification: The implementation of this item depends on the environment and how you want audit logs to be encrypted and off-loaded to different systems or media. You are responsible for the configuration.

V-204632

Finding ID: For more information, see V-204632.
Version: RHEL-07-041002
Rule ID: xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
Title: The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts through pluggable authentication modules (PAM).
Justification: The implementation of this item depends on the environment and how you want audit logs to be encrypted and off-loaded to different systems or media. You are responsible for the configuration.
For information on configuring SSSD, see Configuring SSSD.

V-204633

Finding ID: For more information, see V-204633.
Version: RHEL-07-041003
Rule ID: xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking
Title: The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.
Justification: The implementation of this item depends on the environment and how you want audit logs to be encrypted and off-loaded to different systems or media. You are responsible for the configuration.
For more information on configuring oscp, see Configuring OCSP Responders.

V-214801

Finding ID: For more information, see V-214801.
Version: RHEL-07-032000
Rule ID: xccdf_org.ssgproject.content_rule_install_antivirus
Title: The Red Hat Enterprise Linux operating system must use a virus scan program.
Justification: Available open source virus scan programs do not meet the security requirements to be included in QRadar®. It is your responsibility to select and implement a suitable anti virus solution.

V-204577

Finding ID: For more information, see V-204577.
Version: RHEL-07-040100
Rule ID: xccdf_org.ssgproject.content_rule_configure_firewalld_ports
Title: The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.
Justification: The implementation of this item depends on the environment and the specific services that are allowed based on your organization's site or program PPSM CLSA.

V-214800

Finding ID: For more information, see V-214800.
Version: RHEL-07-020019
Rule ID: xccdf_org.ssgproject.content_rule_package_mcafeetp_installed
Title: The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.
Justification: Available open source programs do not meet the security requirements to be included in QRadar. It is your responsibility to select and implement a suitable host-based intrusion detection tool.

V-204511

Finding ID

For more information, see V-204511.

Version

RHEL-07-030320

Rule ID

xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action

Title

The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

Justification

The implementation of this item depends on the environment. Syslog-ng is used in QRadar instead of audisp and is installed by default and ready to be configured for compliance of this item. The most common implementation is to configure syslog-ng to send logs to a remote server. Add destination entries for each log type into /etc/syslog-ng/syslog-ng.conf. For example, to send messages by using TCP to a remote server with an IP address of 10.1.3.4 on port 1500, you add the following entry:

destination messages { network("10.1.3.4" port(1500)); };

For configuration information and examples, see syslog-ng Open Source Edition 3.19 - Administration Guide.

After the configuration is completed, restart the syslog-ng service to apply the changes:

service syslog-ng restart

Scanners might report this item as noncompliant even after syslog-ng is configured to handle logs when the storage volume is full because most scanners check for the use of audisp. It is most likely a false positive, if syslog-ng is properly configured.

V-204512

Finding ID

For more information, see V-204512.

Version

RHEL-07-030321

Rule ID

xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action

Title

The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error when are sent to a remote system.

Justification

The implementation of this item depends on the environment. Syslog-ng is used in QRadar instead of audisp and is installed by default and ready to be configured for compliance of this item. The most common implementation is to introduce a disk buffer to store logs in the event of a failure. Add a disk buffer option to each destination entry in /etc/syslog-ng/syslog-ng.conf. For example, to set up a disk buffer on messages that are being sent to a remote server with an IP address of 10.1.3.4 on port 1500 with the buffer location at /tmp/disk-buffer, reliable set to yes (ensures that logs are nor lost during a reload, restart, unreachable destination or crash), and a disk-buf-size of 2000000 bytes.

destination messages {
    network(
        "10.1.3.4"
        port(1500)
        disk-buffer(
            disk-buf-size(2000000)
            reliable(yes)
            dir("/tmp/disk-buffer")
        )
    );
};

For configuration information and examples, see https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.24/administration-guide/50.

After you create the configuration, restart the syslog-ng service to apply the changes:

service syslog-ng restart

Scanners might report this item as noncompliant even after syslog-ng is configured to handle logs when there is an error sending to a remote system is full since most scanners check for the use of audisp. This is most likely a false positive when syslog-ng is properly configured.

V-204509

Finding ID

For more information, see V-204509.

Version

RHEL-07-030300

Rule ID

xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server

Title

The Red Hat Enterprise Linux operating system must offload audit records onto a different system or media from the system being audited.

Justification

The implementation of this item depends on the environment. Syslog-ng is used in QRadar instead of audisp and is installed by default and ready to be configured for compliance of this item, but the specifics of the implementation depends on the destination that the customer wants to off-load logs to. You can do this by adding destination entries for each log type into /etc/syslog-ng/syslog-ng.conf. For example, to send messages by using TCP to a remote server with an IP address of 10.1.3.4 on port 1500, you would add the following entry:

destination messages { network("10.1.3.4" port(1500)); };

For configuration information and examples, see: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.19/administration-guide/40

After you complete the configuration, restart the syslog-ng service to apply the changes:

service syslog-ng restart

Scanners might report this item as noncompliant because most scanners check for the use of audisp. This is most likely a false positive when syslog-ng is properly configured.

V-204574

Finding ID

For more information, see V-204574.

Version

RHEL-07-031000

Rule ID

xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost

Title

The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.

Justification

The implementation of this item is highly dependent on the environment in which it is being implemented. Syslog-ng is used in QRadar instead of rsyslog and is installed by default and ready to be configured for compliance of this item, but the specifics of the implementation will depend on the destination that the customer wants to off-load logs to. This can be done by adding destination entries for each log type into /etc/syslog-ng/syslog-ng.conf. For example, to send messages via TCP to a remote server with an ip address of 10.1.3.4 on port 1500, the following entry would be added:

destination messages { network("10.1.3.4" port(1500)); };

For configuration information and examples, see https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.19/administration-guide/40.

After you create the configuration, restart the syslog-ng service to apply the changes:

service syslog-ng restart

Scanners might report this item as noncompliant even after syslog-ng is configured to off-load logs since most scanners check for the use of audisp. This is most likely a false positive when syslog-ng is properly configured.

V-204506

Finding ID

For more information, see V-204506.

Version

RHEL-07-030201

Rule ID

N/A

Title

The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.

Justification

The implementation of this item depends on the environment. Syslog-ng is used in QRadar instead of audisp and is installed by default and ready to be configured for compliance of this item, but the specifics of the implementation depend on the destination that you want to offload logs to. This can be done by adding destination entries for each log type into /etc/syslog-ng/syslog-ng.conf. For example, to send messages by using TCP to a remote server with an IP address of 10.1.3.4 on port 1500, you would add the following entry:

destination messages { network("10.1.3.4" port(1500)); };

For configuration information and examples, seehttps://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.19/administration-guide/40.

After you create the configuration, restart the syslog-ng service to apply the changes:

service syslog-ng restart

Scanners might report this item as noncompliant even after syslog-ng is configured to offload logs since most scanners check for the use of audisp. This is most likely a false positive when syslog-ng is properly configured.

V-204441

Finding ID

For more information, see V-204441.

Version

RHEL-07-010500

Rule ID

xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action

Title

The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) by using multifactor authentication.

Justification

The implementation of this item depends on the environment and the specific multifactor authentication solution you chose. It is your responsibility to configure this item.

For information on configuring SSSD, Configuring SSSD.

V-204473

Finding ID

For more information, see V-204473.

Version

RHEL-07-020680

Rule ID

xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions

Title

The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.

Justification

QRadar is compliant by default with these items but any newly created users are not compliant. It is the responsibility of the customer to ensure that the home directory for any new user is configured with the appropriate file and folder permissions in order to maintain compliance with these items. Use the following procedure to bring any newly created users into compliance:

Run the command:
```
$ sudo stat -c "%04a %n %F" /<user home dir>/* 
```
Where <user home dir> is the home directory of the newly created user. This produces an output in the following format: <permission> <file path> <file type>. For example, 0600 /<user home dir>/.bash_profile regular file.
If the first digit of any permission listed is not 0 (including files and directories, excluding files starting with .), run the following command:
```
$ sudo chmod a-s /path/to/file
```
If the last 3 digits of any permission listed are more permissive than 750 (including files and directories, excluding files starting with .), run the following commands:
```
$ sudo chmod g-rwx,g+rx /path/to/file
```
```
$ sudo chmod o-rwx /path/to/file
```

V-204476

Finding ID

For more information, see V-204476.

Version

RHEL-07-020710

Rule ID

xccdf_org.ssgproject.content_rule_file_permission_user_init_files

Title

The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive

Justification

Run the command:
```
$ sudo stat -c "%04a %n %F" /<user home dir>/.* 
```
Where <user home dir> is the home directory of the newly created user. This produces an output in the following format: <permission> <file path> <file type>. For example, 0600 /<user home dir>/.bash_profile regular file.
If the first digit of any permission listed (excluding directories) is not 0, run the following command:
```
$ sudo chmod a-s /path/to/file
```
If the last 3 digits of any permission listed (excluding directories) are more permissive than 740, run the following commands:
```
$ sudo chmod g-rwx,g+rx /path/to/file
```
```
$ sudo chmod o-rwx /path/to/file
```

V-204488

Finding ID: For more information, see V-204488.
Version: RHEL-07-030310
Rule ID: xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
Title: The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.
Justification: The implementation of this item depends on the environment and the user accounts that were created. It is your responsibility to ensure that all created accounts comply with this item.

V-204504

Finding ID: For more information, see V-204504.
Version: RHEL-07-030010
Rule ID: xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
Title: The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) when an audit processing fails.
Justification: Availability is an overriding concern for QRadar. The configuration to alert any designated staff is your responsibility.

V-204608

Finding ID: For more information, see V-204608.
Version: RHEL-07-040600
Rule ID: xccdf_org.ssgproject.content_rule_network_configure_name_resolution
Title: For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.
Justification: The system verifies /etc/resolv.conf by using the file integrity tool by default, but it is the responsibility of the customer to document this with their Information System Security Officer (ISSO).

V-244557

Finding ID: For more information, see V-244557.
Version: RHEL-07-010483
Rule ID: xccdf_org.ssgproject.content_rule_grub2_admin_username
Title: Red Hat Enterprise Linux operating systems version 7.2 or later that are booted with a BIOS, must have a unique name for the grub superusers account when booting into single-user and maintenance modes.
Justification: The implementation of this item depends on the environment and the user accounts that were created. It is the responsibility of the customer to ensure that the boot user is correctly configured to comply with this item.

V-204581

Finding ID: For more information, see https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-12-08/finding/V-204581.
Version: RHEL-07-040180
Rule ID: xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
Title: The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.
Justification: QRadar, by default, is not configured to use LDAP. If LDAP is used in your environment, you should also ensure that you are compliant with this item.

V-204582

Finding ID: For more information, see V-204582.
Version: RHEL-07-040190
Rule ID: xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
Title: The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.
Justification: QRadar, by default, is not configured to use LDAP. If LDAP is used in your environment, you should also ensure that you are compliant with this item.

V-204583

Finding ID: For more information, see V-204583.
Version: RHEL-07-040200
Rule ID: xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
Title: The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications
Justification: QRadar, by default, is not configured to use LDAP. If LDAP is used in your environment, you should also ensure that you are compliant with this item.

V-204603

Finding ID: For more information, see V-204603.
Version: RHEL-07-040500
Rule ID: xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
Title: The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
Justification: It is the responsibility of the customer to ensure that a proper time server is being used for synchronization.

V-244525

Finding ID: For more information, see V-244525.
Version: RHEL-08-010201
Rule ID: SV-244525r743824_rule
Title: The SSH daemon ClientAliveCountMax option must be set correctly.
Justification: During installation or patching the ClientAliveCountMax is reset due to technical limitations. You are responsible for setting ClientAliveCountMax to 0 in /etc/ssh/sshd_config.