diff --git a/Cat_1/RHEL-07-010440.yml b/Cat_1/RHEL-07-010440.yml index 473e7c1..dcbdf8d 100644 --- a/Cat_1/RHEL-07-010440.yml +++ b/Cat_1/RHEL-07-010440.yml @@ -4,7 +4,7 @@ file: /etc/gdm/custom.conf: title: RHEL_07_010440 | Must not allow an unattended or automatic logon to the system via a graphical user interface. exists: true - contains: + contents: - '/^[aA]uto[mM]atic[lL]ogin[eE]nable=false/' - '!/^[aA]uto[mM]atic[lL]ogin[eE]nable=true/' meta: diff --git a/Cat_1/RHEL-07-010450.yml b/Cat_1/RHEL-07-010450.yml index ca42be7..c150aa3 100644 --- a/Cat_1/RHEL-07-010450.yml +++ b/Cat_1/RHEL-07-010450.yml @@ -4,7 +4,7 @@ file: /etc/gdm/custom.conf: title: RHEL-07-010450 | Must not allow an unrestricted logon to the system. exists: true - contains: + contents: - '/^[[tT]imed[lL]ogin[eE]nable=false' - '!/^[[tT]imed[lL]ogin[eE]nable=true' meta: diff --git a/Cat_1/RHEL-07-010482.yml b/Cat_1/RHEL-07-010482.yml index 83ae2dd..f5ad47a 100644 --- a/Cat_1/RHEL-07-010482.yml +++ b/Cat_1/RHEL-07-010482.yml @@ -5,7 +5,7 @@ file: /boot/grub2/user.cfg: title: RHEL-07-010482 | Require authentication upon booting into single-user and maintenance modes. | BIOS | (>=RHEL7.3) exists: true - contains: + contents: - '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.*/' meta: Cat: 1 diff --git a/Cat_1/RHEL-07-010490.yml b/Cat_1/RHEL-07-010490.yml index 3f84c4c..96a1283 100644 --- a/Cat_1/RHEL-07-010490.yml +++ b/Cat_1/RHEL-07-010490.yml @@ -1,11 +1,11 @@ -{{ if .Vars.rhel7stig_legacyOS }} +{{ if .Vars.rhel7stig_legacyOS }} {{ if not .Vars.rhel7stig_legacy_boot }} file: /boot/efi/EFI/redhat/grub.cfg: {{ if .Vars.RHEL_07_010490 }} title: RHEL-07-010490 | Require authentication upon booting into single-user and maintenance modes. | UEFI | (<= RHEL7.1) exists: true - contains: + contents: - '/^password_pbkdf2\sroot\s.*/' meta: Cat: 1 diff --git a/Cat_1/RHEL-07-010491.yml b/Cat_1/RHEL-07-010491.yml index 37bcd7f..507b74d 100644 --- a/Cat_1/RHEL-07-010491.yml +++ b/Cat_1/RHEL-07-010491.yml @@ -1,11 +1,11 @@ -{{ if not .Vars.rhel7stig_legacyOS }} +{{ if not .Vars.rhel7stig_legacyOS }} {{ if not .Vars.rhel7stig_legacy_boot }} {{ if .Vars.RHEL_07_010491 }} file: /boot/efi/EFI/redhat/user.cfg: title: RHEL-07-010491 | Require authentication upon booting into single-user and maintenance modes. | UEFI | user.cfg | (>=RHEL7.3) exists: true - contains: + contents: - '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.*/' meta: Cat: 1 diff --git a/Cat_1/RHEL-07-020231.yml b/Cat_1/RHEL-07-020231.yml index bb173a1..3f301af 100644 --- a/Cat_1/RHEL-07-020231.yml +++ b/Cat_1/RHEL-07-020231.yml @@ -4,7 +4,7 @@ file: /etc/dconf/db/local.d/00-disable-CAD: title: RHEL_07_020231 | Must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface. exists: true - contains: + contents: - '/[org/gnome/settings-daemon/plugins/media-keys]/' - '^logout="' meta: diff --git a/Cat_1/RHEL-07-020250.yml b/Cat_1/RHEL-07-020250.yml index 538715d..aaac568 100644 --- a/Cat_1/RHEL-07-020250.yml +++ b/Cat_1/RHEL-07-020250.yml @@ -4,7 +4,7 @@ file: /etc/redhat-release: title: RHEL_07_020250 | The Red Hat Enterprise Linux operating system must be a vendor supported release. | Not EUS exists: true - contains: + contents: - '/^Red Hat Enterprise Linux Server release 7.\b([9]|1[0-2])\b/' meta: Cat: 1 diff --git a/Cat_1/RHEL-07-040800.yml b/Cat_1/RHEL-07-040800.yml index 59970db..1334db2 100644 --- a/Cat_1/RHEL-07-040800.yml +++ b/Cat_1/RHEL-07-040800.yml @@ -3,7 +3,7 @@ file: /etc/snmp/snmpd.conf: title: RHEL_07_040800 | SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default. exists: true - contains: + contents: - '!/^%\ssnmp.*public.*$/' - '!/^%\ssnmp.*private.*$/' meta: diff --git a/Cat_2/RHEL-07-010050.yml b/Cat_2/RHEL-07-010050.yml index 62bb029..a7f15c1 100644 --- a/Cat_2/RHEL-07-010050.yml +++ b/Cat_2/RHEL-07-010050.yml @@ -3,7 +3,7 @@ file: /etc/issue: title: RHEL-07-010050 | Must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. exists: true - contains: + contents: {{ if .Vars.rhel7stig_use_disa_banner}} - '/{{ .Vars.rhel7stig_disa_logon_banner }}/' {{ end }} diff --git a/Cat_2/RHEL-07-010063.yml b/Cat_2/RHEL-07-010063.yml index 2c339e8..05fd2d3 100644 --- a/Cat_2/RHEL-07-010063.yml +++ b/Cat_2/RHEL-07-010063.yml @@ -18,7 +18,7 @@ file: /etc/dconf/profile/gdm: title: RHEL-07-010063 | Must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. exists: true - contains: + contents: - '/^user-db:user/' - '/^system-db:gdm/' - '/^file-db:/usr/share/gdm/greeter-dconf-defaults/' diff --git a/Cat_2/RHEL-07-010199.yml b/Cat_2/RHEL-07-010199.yml index 1bee74e..1968cc5 100644 --- a/Cat_2/RHEL-07-010199.yml +++ b/Cat_2/RHEL-07-010199.yml @@ -1,5 +1,5 @@ {{ if .Vars.RHEL_07_010199 }} -file: +file: /etc/pam.d/password-auth: title: RHEL-07-010199 | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility | passwd-auth-local. exists: true @@ -30,7 +30,7 @@ file: owner: root group: root filetype: file - contains: + contents: - '/^auth\s+required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' - '/^auth\s+include password-auth-ac/' - '/^auth\s+sufficient pam_unix.so try_first_pass/' @@ -55,8 +55,7 @@ file: owner: root group: root filetype: file - contains: - contains: + contents: - '/^auth\s+required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' - '/^auth\s+include system-auth-ac/' - '/^auth\s+sufficient pam_unix.so try_first_pass/' diff --git a/Cat_2/RHEL-07-010500.yml b/Cat_2/RHEL-07-010500.yml index ad224dc..b099de1 100644 --- a/Cat_2/RHEL-07-010500.yml +++ b/Cat_2/RHEL-07-010500.yml @@ -4,7 +4,7 @@ file: /etc/pam_pkcs11/pkcs_eventmgr.conf: title: RHEL-07-010500 | Must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. exists: true - contains: + contents: - '/^usr/X11R6/bin/xscreensaver-command -lock/' - '/^use_pkcs11_module = cackey;/' meta: diff --git a/Cat_2/RHEL-07-020111.yml b/Cat_2/RHEL-07-020111.yml index fe9930b..2464f57 100644 --- a/Cat_2/RHEL-07-020111.yml +++ b/Cat_2/RHEL-07-020111.yml @@ -1,10 +1,10 @@ {{ if .Vars.rhel7stig_gui }} {{ if .Vars.RHEL_07_020111 }} -file: +file: /etc/dconf/db/local.d/00-No-Automount: title: RHEL-07-020111 | Must disable the graphical user interface automounter unless required. exists: true - contains: + contents: - '/^automount=false/' - '/^automount-open=false/' - '/^autorun-never=true/' diff --git a/Cat_2/RHEL-07-021700.yml b/Cat_2/RHEL-07-021700.yml index 74f34d1..2d51328 100644 --- a/Cat_2/RHEL-07-021700.yml +++ b/Cat_2/RHEL-07-021700.yml @@ -25,7 +25,7 @@ command: title: RHEL-07-021700 | Must not allow removable media to be used as the boot loader unless approved. exec: grep 'set root' /boot/grub2/grub.cfg exit-status: 0 - contains: + contents: - {{ .Vars.rhel7stig_grub_bootloader_validorder }} meta: Cat: 2 diff --git a/Cat_2/RHEL-07-030201.yml b/Cat_2/RHEL-07-030201.yml index fc9b1ad..7c59d29 100644 --- a/Cat_2/RHEL-07-030201.yml +++ b/Cat_2/RHEL-07-030201.yml @@ -3,7 +3,7 @@ file: /etc/audisp/plugins.d/au-remote.conf: title: RHEL-07-030201 | Must be configured to off-load audit logs onto a different system or storage media from the system being audited. exists: true - contains: + contents: - '/^active = yes/' - '/^direction = out/' - '/^path = /sbin/audisp-remote/' diff --git a/Cat_2/RHEL-07-040201.yml b/Cat_2/RHEL-07-040201.yml index ebc3536..4d021fe 100644 --- a/Cat_2/RHEL-07-040201.yml +++ b/Cat_2/RHEL-07-040201.yml @@ -14,7 +14,7 @@ file: /proc/sys/kernel/randomize_va_space: title: RHEL-07-040201 | Must implement virtual address space randomization. exists: true - contains: + contents: - '2' meta: Cat: 2 diff --git a/Cat_2/RHEL-07-040500.yml b/Cat_2/RHEL-07-040500.yml index d8fdd5a..b7233b5 100644 --- a/Cat_2/RHEL-07-040500.yml +++ b/Cat_2/RHEL-07-040500.yml @@ -4,7 +4,7 @@ file: /etc/ntp.conf: title: RHEL-07-040500 | Must for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). exists: true - contains: + contents: - '/^maxpoll ([0-9]|1[0-6])/' meta: Cat: 2 @@ -20,7 +20,7 @@ file: /etc/chrony.conf: title: RHEL-07-040500 | Must for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). exists: true - contains: + contents: - '/server\s.*maxpoll ([0-9]|1[0-6])$/' meta: Cat: 2 diff --git a/Cat_2/RHEL-07-040720.yml b/Cat_2/RHEL-07-040720.yml index 6a11ccd..d1d6377 100644 --- a/Cat_2/RHEL-07-040720.yml +++ b/Cat_2/RHEL-07-040720.yml @@ -4,7 +4,7 @@ file: /etc/xinetd.d/tftp: title: RHEL-07-040720 | Must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode. exists: true - contains: + contents: - '/^server_args = -s /var/lib/tftpboot/' meta: Cat: 2 diff --git a/Cat_3/RHEL-07-040600.yml b/Cat_3/RHEL-07-040600.yml index df88186..7a53de2 100644 --- a/Cat_3/RHEL-07-040600.yml +++ b/Cat_3/RHEL-07-040600.yml @@ -3,7 +3,7 @@ file: /etc/resolv.conf: title: RHEL-07-040600 | Using DNS resolution, at least two name servers must be configured. exists: true - contains: + contents: {{ range .Vars.rhel7stig_nameservers }} - 'nameserver {{ . }}' {{ end }}