DISA Updated the RHEL7 STIG! What changed between V1R1 –> V1R2?

This week DISA released an update to their RHEL7 STIG content, incrementing their release from V1R1 to V1R2. This update was unexpected; updates were not coordinated with DoD, NSA, NIST, or Red Hat — so what exactly changed?

DISA released their first edition, V1R1, on 27-FEB-2017. Since that time over 200 bugs were reported to DISA. Over 100 NSA and Red Hat recommended configuration checks were left out of DISA’s initial content without explanation. Industry and DoD system owners have been waiting six months in hopes for a production-ready baseline.

According to DISA’s release notes 17 changes have been made between V1R1 and V1R2. Lets step through each one manually to find out what changed.

Here’s a rough table of contents to help you jump through each update:

Typos/Spellcheck/Administrative updates:

Bug fixes:

Introduces new bugs:


1. Updated RHEL-07-010060 Removed items from Fix instructions that were not exclusive to screen lock.

Rule title:
The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.

What changed?
The configuration check ensures user session locks are enabled. However, DISA’s original fix text remediated the screen saver timeout value (idle-delay=uint32 900) and the lock time (lock-delay=uint32 180), versus only addressing turning the screen saver lock on (lock-enabled=true).

This was an issue identified during DISA’s pre-release public comment period (prior to their issuance of V1R1) back in May 2016. This update reflects an administrative cleanup of the rule and not new/updated requirements.

Expressed as a diff, here’s what changed:

$ diff v1r1.txt v1r2.txt
< Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.
---
> Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.
7,11d6
< Edit “org/gnome/desktop/session” and add or update the following lines:
<
< # Set the lock time out to 900 seconds before the session is considered idle
< idle-delay=uint32 900
<
16,19d10
< # Set the lock timeout to 180 seconds after the screensaver has been activated
< lock-delay=uint32 180^M
<
< You must include the "uint32" along with the integer key values as shown.


2. Updated RHEL-07-010070 Removed items from Fix instructions that were not exclusive to idle delay.

Rule title:
The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.

What changed?
Administrative cleanup. The V1R1 language had administrators remediate lock-enabled=true and lock-delay=uint32 180, however the compliance check was evaluating idle-delay=uint32 900.

This was an issue identified during DISA’s pre-release public comment period (prior to their issuance of V1R1) back in May 2016. This update reflects an administrative cleanup of the rule and not new/updated requirements.

$ diff v1r1.txt v1r2.txt
< Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
---
> Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
7c7
< Edit “org/gnome/desktop/session” and add or update the following lines:
---
> Edit "/org/gnome/desktop/session" and add or update the following lines:
12,18d11
< Edit "org/gnome/desktop/screensaver" and add or update the following lines:
<
< # Set this to true to lock the screen when the screensaver activates
< lock-enabled=true
< # Set the lock timeout to 180 seconds after the screensaver has been activated
< lock-delay=uint32 180
<


3. Updated RHEL-07-010130 Wrote new Fix section to meet the requirement text for password complexity.

Rule title:
When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.

What changed?
This requirement ensures passwords contain at least one lower-case character. DISA’s original fix text ensured locked accounts required administrator re-activation — and this misalignment caused confusion on the true intent of their control. As a result, DISA has completely updated the fix text.

This was an issue identified during DISA’s pre-release public comment period (prior to their issuance of V1R1) back in May 2016.

Original V1R1 language:
> Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
> Modify the first three lines of the "auth" section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines:
> Note: RHEL 7.3 and later allows for a value of “never” for "unlock_time". This is an acceptable value but should be used with caution if availability is a concern.
>
> auth        required       pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=604800
> auth        sufficient     pam_unix.so try_first_pass
> auth        [default=die]  pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=604800
>
> and run the "authconfig" command.

Updated V1R2 language:

> Configure the operating system to require at least one lower-case character when passwords are changed or new passwords are established.
>
> Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
> lcredit = -1


4. Updated RHEL-07-010480 Updated grep command in Check instructions.

Rule title:
Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.

What changed?
This rule verifies the system requires an administrative password prior to booting into single user mode. DISA’s new check language will always cause a false positive.

Password-enabled GRUB2 configurations are defined as follows in /boot/grub2/grub.cfg:
### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
  source ${prefix}/user.cfg
  if [ -n "${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root ${GRUB2_PASSWORD}
    password_pbkdf2 root grub.pbkdf2.sha512.10000.{{some-encrypted-string-here}}
  fi
fi

Note the spaces before the “password_pbkdf2”.

The issue is caused with DISA’s new regex:
$ diff V1R1.txt V1R2.txt
< # grep -i password /boot/grub2/grub.cfg
---
> # grep -i ^password_pbkdf2 /boot/grub2/grub.cfg

The new regex searches for lines beginning with password_pbkdf2. Because of indentation this new language will *always* return false.

For accreditors: This can be remediated by dropping the ^ from the regex.


5. Updated RHEL-07-020100 Check and Fix instructions to blacklist USB devices using the blacklist.conf file.

Rule title:
USB mass storage must be disabled.

What changed?
For over 10 years NSA and Red Hat have recommended blocking kernel drivers by linking them to /bin/true (or /bin/false). DISA has updated their guidance to use the blacklist method instead:

DISA’s changes:

$ diff r1.txt r2.txt
< #grep -i usb-storage /etc/modprobe.d/*
---
> # grep usb-storage /etc/modprobe.d/blacklist.conf
> blacklist usb-storage
< install usb-storage /bin/true
<
< If the command does not return any output, and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
---
> If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

DISA has introduced a number of issues with this change:

1. Modprobe follows an alpha-numeric order of precedence. For that reason, the NSA and Red Hat recommended evaluation scanned all files under the /etc/modprobe.d/ directory.

In the latest DISA content, DISA updated the evaluation to only the /etc/modprobe.d/blacklist.conf file. This means a /etc/modprobe.d/ignore_disa.conf could be created that simply reactivates the module — and the system would still pass a STIG scan.

2. The NSA and Red Hat recommended evaluation for kernel modules, which was included in V1R1 of DISA’s content, was specifically not to use the blacklist module. Straight from the Red Hat documentation:

The blacklist <module_name> command, however, does not prevent the module from being loaded manually, or from being loaded as a dependency for another kernel module that is not blacklisted. To ensure that a module cannot be loaded on the system at all, modify the specified configuration file in the /etc/modprobe.d/ directory as root with the following line:
<tt>install <module_name> /bin/true

By DISA changing to using blacklist over /bin/true they have opened DoD to a range of new threats such as malicious kernel drivers loading usb-storage, system administrators enabling usb-storage at the command line.

3. DISA’s updated regex only accepts “blacklist,” instead of also supporting the correct /bin/true or /bin/false configuration settings. If systems do not use blacklist they get a CAT II finding.

DISA has ensured Linux systems in DoD are now open to vulnerabilities from inserting rogue USB devices.


6. Updated RHEL-07-020630 Removed extra space from the command in the Check content.

Rule title:
All local interactive user home directories must have mode 0750 or less permissive.

What changed?
DISA has corrected a command line example.

Old:
# ls -ld $ (egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)

New (note $(egrep) no longer contains a space after the $):
# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)


7. Updated RHEL-07-020640 Removed extra space from the command in the Check content.

Same fix as RHEL-07-020630. DISA used that command in multiple places.


8. Updated RHEL-07-020650 Removed extra space from the command in the Check content.

Same fix as RHEL-07-020630. DISA used that command in multiple places.


9. Updated RHEL-07-021030 Updated find command in Check content.

Rule title:
All world-writable directories must be group-owned by root, sys, bin, or an application group.

What changed?
DISA altered a command line example, changing the order of operands:

Old:
# find / -perm -002 -xdev -type d -fstype xfs -exec ls -lLd {} \;

New:
# find / -xdev -perm -002 -type d -fstype xfs -exec ls -lLd {} \;

This change has no effect on returned results.

Pro tip: In the RHEL7 Vendor STIG, NSA and Red Hat recommended using the following command to find directories that are world-writable and *not* owned by root, sys, bin, or an application/daemon group:
$ sudo find / -xdev -type d -perm -0002 -uid +999 -print

Compared with DISA’s command, the RHEL7 Vendor content does not return false positives by showing only world-writable files belonging to User IDs 1000 and greater.


10. Updated RHEL-07-021110 Removed extra space from the command in the Check content.

Rule title:
If the cron.allow file exists it must be owned by root

What changed?
DISA had a typo in their sample command.

Old:
# l s -al /etc/cron.allow

New:
# ls -al /etc/cron.allow


11. Updated RHEL-07-021330 Updated entire Check content to fit the requirement.

Rule title:
The system must use a separate file system for the system audit data path

What changed?
While the requirement is to have /var/log/audit on its own partition, DISA’s old check text recursively searched the filesystem for files called “aide.conf” and set a file hash algorithm. Their check text has been updated to properly evaluate partitions in /etc/fstab.


12. Updated RHEL-07-030360 Updated code in Fix content.

Rule title:
All privileged function executions must be audited.

What changed?
The DISA content recursively searches for SUID/SGID binaries and create audit rules that trigger when said binaries are executed. The old audit syntax was invalid and has been updated.

Old audit rule:
-a always,exit -F <suid_prog_with_full_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid

The suid_prog_with_full_path needed to have “path=” prepended to it. The lack of which caused the audit rules to be skipped, and had the effect of not auditing any SUID/SGID binaries on DoD systems.

DISA’s updated audit rule:
-a always,exit -F part=<suid_prog_with_full_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid

DISA’s new audit rule now includes a “-F part=<suid_prog_with_full_path>“. As documented in the Linux Audit man page, there is no “-F part=<….>” option.

The correct option is “path”:
-a always,exit -F path=<suid_prog_with_full_path> -F perm=x -F auid>=1000 -F auid!=4294967295 -k setuid/setgid

Should DoD elements use the “-F part=…” syntax, their SUID/SGID binaries will continue to run with absolutely no auditing.


13. Updated RHEL-07-030874 Updated the path used in both the Check and Fix instructions.

Rule title:
The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd

What changed:
Linux systems use /etc/security/opasswd, not /etc/opasswd (used in the Solaris days). DISA updated their content to audit the correct file.

Old audit rule:
-w /etc/opasswd -p wa -k identity

New audit rule:
-w /etc/security/opasswd -p wa -k identity

Side note: The rule title needs updating to reflect /etc/security/opasswd.


14. Updated RHEL-07-040330 Updated Check and Fix content to require the value “no”.

Rule title:
The SSH daemon must not allow authentication using RSA rhosts authentication

What changed?
DISA’s initial fix text had DoD users enable this setting, versus ensuring its turned off.

V1R1:
Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
RhostsRSAAuthentication yes

V1R2:
Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":
RhostsRSAAuthentication no


15. Updated RHEL-07-040510 Updated command and instructions in Fix content.

Rule title:
The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces

What changed?
DISA’s original remediation text had several syntax errors.
V1R1:
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

V1R2:
# firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT


16. Updated RHEL-07-040530 Updated Check content to better address SSHD configuration.

Rule title: 
The system must display the date and time of the last successful account logon upon logon.

What changed?

DISA clarified the failure condition for this rule.

The V1R1 failure condition:
If "pam_lastlog" is missing from "/etc/pam.d/postlogin-ac" file, or the silent option is present on the line check for the "PrintLastLog" keyword in the sshd daemon configuration file, this is a finding.

And updated V1R2 language:
If "pam_lastlog" is missing from "/etc/pam.d/postlogin-ac" file, or the silent option is present and PrintLastLog is missing from or set to "no" in the "/etc/ssh/sshd_config" file this is a finding.

Unfortunately, the updated language introduces a false positive. As documented in the sshd_config man page, the default value of PrintLastLog is yes; meaning, if not explicitly specified in /etc/ssh/sshd_config, the system default will print the date and time of the last successful account logon.

With DISA’s updated failure condition, the default configuration of the SSH daemon (while valid) will be flagged as a failure.


17. Removed RHEL-07-030790 Removed requirement due to differences in package availability in standard installation

Rule title:
All uses of the pt_chown command must be audited.

What changed?
In 1999 there was an exploit for pt_chown, which was assigned CVE-1999-0720. There have been additional exploits, such as CVE-2013-2207 in 2013. As a result, DISA has wanted to audit every execution of the binary. Even in operating systems where it doesn’t exist anymore. They’ve finally dropped the rule.

Leave a Reply

Your email address will not be published. Required fields are marked *