From b327a7c1d61495ee3ac0908b0aef701d57c5f287 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 27 Mar 2026 12:48:13 +0100 Subject: [PATCH 1/8] Add hummingbird product definition Introduce the new "hummingbird" product with product.yml, CMakeLists, build script entry, constants, OVAL platform check, and CIS/STIG profile skeletons. This commit adds compliance content for scanning Red Hat's Hummingbird container images and containers. Hummingbird images are based on their own special Linux distribution, also called Hummingbird, which isn't a RHEL derivative nor Fedora variant. See https://hummingbird-project.io/. --- CMakeLists.txt | 5 +++ build_product | 1 + products/hummingbird/CMakeLists.txt | 6 ++++ products/hummingbird/product.yml | 23 +++++++++++++ products/hummingbird/profiles/cis.profile | 24 +++++++++++++ products/hummingbird/profiles/stig.profile | 23 +++++++++++++ .../oval/installed_OS_is_hummingbird.xml | 34 +++++++++++++++++++ .../oval/sysctl_kernel_ipv6_disable.xml | 1 + ssg/constants.py | 5 ++- 9 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 products/hummingbird/CMakeLists.txt create mode 100644 products/hummingbird/product.yml create mode 100644 products/hummingbird/profiles/cis.profile create mode 100644 products/hummingbird/profiles/stig.profile create mode 100644 shared/checks/oval/installed_OS_is_hummingbird.xml diff --git a/CMakeLists.txt b/CMakeLists.txt index ab899deea925..652f069404f3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -96,6 +96,7 @@ option(SSG_PRODUCT_EKS "If enabled, the EKS SCAP content will be built" ${SSG_PR option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE) option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_HUMMINGBIRD "If enabled, the Hummingbird SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_KYLINSERVER10 "If enabled, the Kylin Server V10 content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_OCP4 "If enabled, the OCP4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -333,6 +334,7 @@ message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}") message(STATUS "EKS: ${SSG_PRODUCT_EKS}") message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}") message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}") +message(STATUS "Hummingbird: ${SSG_PRODUCT_HUMMINGBIRD}") message(STATUS "Kylin Server V10: ${SSG_PRODUCT_KYLINSERVER10}") message(STATUS "OCP4: ${SSG_PRODUCT_OCP4}") message(STATUS "RHCOS4: ${SSG_PRODUCT_RHCOS4}") @@ -418,6 +420,9 @@ endif() if(SSG_PRODUCT_FIREFOX) add_subdirectory("products/firefox" "firefox") endif() +if(SSG_PRODUCT_HUMMINGBIRD) + add_subdirectory("products/hummingbird" "hummingbird") +endif() if(SSG_PRODUCT_KYLINSERVER10) add_subdirectory("products/kylinserver10" "kylinserver10") endif() diff --git a/build_product b/build_product index 76e3d3a69854..cc8884e7cdba 100755 --- a/build_product +++ b/build_product @@ -340,6 +340,7 @@ all_cmake_products=( EXAMPLE FEDORA FIREFOX + HUMMINGBIRD KYLINSERVER10 OCP4 OL7 diff --git a/products/hummingbird/CMakeLists.txt b/products/hummingbird/CMakeLists.txt new file mode 100644 index 000000000000..24883fecc61b --- /dev/null +++ b/products/hummingbird/CMakeLists.txt @@ -0,0 +1,6 @@ +# Sometimes our users will try to do: "cd hummingbird; cmake ." That needs to error in a nice way. +if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +ssg_build_product("hummingbird") diff --git a/products/hummingbird/product.yml b/products/hummingbird/product.yml new file mode 100644 index 000000000000..70ae90fe910a --- /dev/null +++ b/products/hummingbird/product.yml @@ -0,0 +1,23 @@ +product: hummingbird +full_name: Hummingbird +type: platform + +benchmark_id: HUMMINGBIRD +benchmark_root: "../../linux_os/guide" +components_root: "../../components" + +profiles_root: "./profiles" + +pkg_manager: "dnf" + +init_system: "systemd" + +cpes_root: "../../shared/applicability" +cpes: + - hummingbird: + name: "cpe:/a:redhat:hummingbird" + title: "Hummingbird" + check_id: installed_OS_is_hummingbird + +reference_uris: + cis: 'https://www.cisecurity.org/benchmark/red_hat_linux/' diff --git a/products/hummingbird/profiles/cis.profile b/products/hummingbird/profiles/cis.profile new file mode 100644 index 000000000000..9b1f5661aa7d --- /dev/null +++ b/products/hummingbird/profiles/cis.profile @@ -0,0 +1,24 @@ +--- +documentation_complete: true + +metadata: + version: vendor + SMEs: + - mab879 + - ggbecker + +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: 'CIS Red Hat Hummingbird Benchmark for Level 2 - Server' + +description: |- + This profile defines a baseline inspired by the "Level 2 - Server" + configuration from the Center for Internet Security® Red Hat Enterprise + Linux 10 Benchmark™, v1.0.1, released 2025-09-30, modified and tailored + to Hummingbird container images. + + This profile includes Center for Internet Security® + Red Hat Enterprise Linux 10 CIS Benchmarks™ content. + +selections: + - cis_hummingbird:all:l2_server diff --git a/products/hummingbird/profiles/stig.profile b/products/hummingbird/profiles/stig.profile new file mode 100644 index 000000000000..e2f585834d9f --- /dev/null +++ b/products/hummingbird/profiles/stig.profile @@ -0,0 +1,23 @@ +--- +documentation_complete: true + +metadata: + version: vendor + SMEs: + - jcerny + +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +title: 'Red Hat STIG for Red Hat Hummingbird' + +description: |- + This is a profile based on what is expected in the Hummingbird STIG. + It is not based on the DISA STIG for Hummingbird, because it was not available at time of + the release. + + In addition to being applicable to Red Hat Hummingbird, this + configuration baseline is applicable to the operating system tier of + Red Hat technologies that are based on Red Hat Hummingbird. + +selections: + - stig_hummingbird:all diff --git a/shared/checks/oval/installed_OS_is_hummingbird.xml b/shared/checks/oval/installed_OS_is_hummingbird.xml new file mode 100644 index 000000000000..da3b70d59ec8 --- /dev/null +++ b/shared/checks/oval/installed_OS_is_hummingbird.xml @@ -0,0 +1,34 @@ + + + + Installed operating system is hummingbird + + multi_platform_all + + + The operating system installed on the system is hummingbird + + + + + + + + + + + + + hummingbird-release.* + + + + + + + /etc/system-release-cpe + ^cpe:\/a:redhat:hummingbird:[\d]+$ + 1 + + + diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml index b718ded260cc..a190c89497e9 100644 --- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml @@ -9,6 +9,7 @@ multi_platform_debian multi_platform_example multi_platform_fedora + multi_platform_hummingbird multi_platform_kylinserver multi_platform_openembedded multi_platform_openeuler diff --git a/ssg/constants.py b/ssg/constants.py index fa70c4bb4a55..f6b991107170 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -220,6 +220,7 @@ "Amazon Elastic Kubernetes Service": "eks", "Fedora": "fedora", "Firefox": "firefox", + "Hummingbird": "hummingbird", "Kylin Server 10": "kylinserver10", "Red Hat OpenShift Container Platform 4": "ocp4", "Red Hat Enterprise Linux CoreOS 4": "rhcos4", @@ -289,7 +290,7 @@ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", - "openeuler", "kylinserver", + "openeuler", "kylinserver", "hummingbird", "opensuse", "sle", "tencentos", "ol", "ocp", "rhcos", "example", "eks", "alinux", "anolis", "openembedded", "al", "slmicro", "almalinux"] @@ -302,6 +303,7 @@ "multi_platform_example": ["example"], "multi_platform_eks": ["eks"], "multi_platform_fedora": ["fedora"], + "multi_platform_hummingbird": ["hummingbird"], "multi_platform_kylinserver": ["kylinserver10"], "multi_platform_openeuler": ["openeuler2203"], "multi_platform_opensuse": ["opensuse"], @@ -426,6 +428,7 @@ 'anolis': 'Anolis OS', 'fedora': 'Fedora', 'firefox': 'Mozilla Firefox', + 'hummingbird': 'Hummingbird', 'kylinserver': 'Kylin Server', 'rhel': 'Red Hat Enterprise Linux', 'rhv': 'Red Hat Virtualization', From e828433099a0e31131de837b97cec402553c21bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 27 Mar 2026 12:48:30 +0100 Subject: [PATCH 2/8] Add hummingbird CIS and STIG control files Add control files mapping CIS and STIG requirements to rules for the hummingbird product. The profile are derived from RHEL 10 profiles, but rules that aren't applicable to containers aren't selected. --- .../hummingbird/controls/cis_hummingbird.yml | 2522 +++++++++++++++++ .../hummingbird/controls/stig_hummingbird.yml | 1286 +++++++++ 2 files changed, 3808 insertions(+) create mode 100644 products/hummingbird/controls/cis_hummingbird.yml create mode 100644 products/hummingbird/controls/stig_hummingbird.yml diff --git a/products/hummingbird/controls/cis_hummingbird.yml b/products/hummingbird/controls/cis_hummingbird.yml new file mode 100644 index 000000000000..da15565af106 --- /dev/null +++ b/products/hummingbird/controls/cis_hummingbird.yml @@ -0,0 +1,2522 @@ +policy: CIS Benchmark for Red Hat Hummingbird +title: CIS Benchmark for Red Hat Hummingbird +id: cis_hummingbird +version: vendor +source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux + +levels: + - id: l1_server + - id: l2_server + inherits_from: + - l1_server + - id: l1_workstation + - id: l2_workstation + inherits_from: + - l1_workstation + +reference_type: cis +product: hummingbird + +controls: + + - id: reload_dconf_db + title: Reload Dconf database + levels: + - l1_server + - l1_workstation + notes: |- + This is a helper rule to reload Dconf database correctly. + status: not applicable + + - id: 1.1.1.1 + title: Ensure cramfs kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.1.2 + title: Ensure freevxfs kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.1.3 + title: Ensure hfs kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.1.4 + title: Ensure hfsplus kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.1.5 + title: Ensure jffs2 kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.1.6 + title: Ensure overlay kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.1.1.7 + title: Ensure squashfs kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.1.1.8 + title: Ensure udf kernel module is not available (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.1.1.9 + title: Ensure firewire-core kernel module is not available (Automated) + levels: + - l1_server + - l2_workstation + status: not applicable + + - id: 1.1.1.10 + title: Ensure usb-storage kernel module is not available (Automated) + levels: + - l1_server + - l2_workstation + status: not applicable + + - id: 1.1.1.11 + title: Ensure unused filesystems kernel modules are not available (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 1.1.2.1.1 + title: Ensure /tmp is tmpfs or a separate partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.1.2 + title: Ensure nodev option set on /tmp partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.1.3 + title: Ensure nosuid option set on /tmp partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.1.4 + title: Ensure noexec option set on /tmp partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.2.1 + title: Ensure /dev/shm is tmpfs or a separate partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.2.2 + title: Ensure nodev option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.2.3 + title: Ensure nosuid option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.2.4 + title: Ensure noexec option set on /dev/shm partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.3.1 + title: Ensure separate partition exists for /home (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.1.2.3.2 + title: Ensure nodev option set on /home partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.3.3 + title: Ensure nosuid option set on /home partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.4.1 + title: Ensure separate partition exists for /var (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.1.2.4.2 + title: Ensure nodev option set on /var partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.4.3 + title: Ensure nosuid option set on /var partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.5.1 + title: Ensure separate partition exists for /var/tmp (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.1.2.5.2 + title: Ensure nodev option set on /var/tmp partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.5.3 + title: Ensure nosuid option set on /var/tmp partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.5.4 + title: Ensure noexec option set on /var/tmp partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.6.1 + title: Ensure separate partition exists for /var/log (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.1.2.6.2 + title: Ensure nodev option set on /var/log partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.6.3 + title: Ensure nosuid option set on /var/log partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.6.4 + title: Ensure noexec option set on /var/log partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.7.1 + title: Ensure separate partition exists for /var/log/audit (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.1.2.7.2 + title: Ensure nodev option set on /var/log/audit partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.7.3 + title: Ensure nosuid option set on /var/log/audit partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.1.2.7.4 + title: Ensure noexec option set on /var/log/audit partition (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.2.1.1 + title: Ensure GPG keys are configured (Manual) + levels: + - l1_server + - l1_workstation + status: partial + rules: + - ensure_redhat_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + However, for official images, we assume that the official images will contain only RPM packages + signed by Red Hat which allows us to check the requirement automatically by adding the rule + ensure_redhat_gpgkey_installed to the profile. + + - id: 1.2.1.2 + title: Ensure gpgcheck is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.2.1.3 + title: Ensure repo_gpgcheck is globally activated (Manual) + levels: + - l2_server + - l2_workstation + status: manual + + - id: 1.2.1.4 + title: Ensure package manager repositories are configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 1.2.1.5 + title: Ensure weak dependencies are configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.2.2.1 + title: Ensure updates, patches, and additional security software are installed (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 1.3.1.1 + title: Ensure SELinux is installed (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.3.1.2 + title: Ensure SELinux is not disabled in bootloader configuration (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.3.1.3 + title: Ensure SELinux policy is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.3.1.4 + title: Ensure the SELinux mode is not disabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.3.1.5 + title: Ensure the SELinux mode is enforcing (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.3.1.6 + title: Ensure no unconfined services exist (Manual) + levels: + - l2_server + - l2_workstation + status: manual + + - id: 1.3.1.7 + title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.3.1.8 + title: Ensure SETroubleshoot is not installed (Automated) + levels: + - l1_server + status: not applicable + + - id: 1.4.1 + title: Ensure bootloader password is set (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + There is no automated remediation for this rule and this is intentional. + More details in the rule description. + + - id: 1.4.2 + title: Ensure access to bootloader config is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: This requirement demands a deeper review of the rules. + + - id: 1.5.1 + title: Ensure core file size is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.5.2 + title: Ensure fs.protected_hardlinks is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.5.3 + title: Ensure fs.protected_symlinks is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 1.5.4 + title: Ensure fs.suid_dumpable is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.5.5 + title: Ensure kernel.dmesg_restrict is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.5.6 + title: Ensure kernel.kptr_restrict is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.5.7 + title: Ensure kernel.yama.ptrace_scope is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.5.8 + title: Ensure kernel.randomize_va_space is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + Address Space Layout Randomization (ASLR) + + - id: 1.5.9 + title: Ensure systemd-coredump ProcessSizeMax is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.5.10 + title: Ensure systemd-coredump Storage is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.6.1 + title: Ensure system wide crypto policy is not set to legacy (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - configure_crypto_policy + - var_system_crypto_policy=default_policy + + - id: 1.6.2 + title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - configure_crypto_policy + - var_system_crypto_policy=default_policy + + - id: 1.6.3 + title: Ensure system wide crypto policy macs are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - configure_crypto_policy + - var_system_crypto_policy=default_policy + + - id: 1.6.4 + title: Ensure system wide crypto policy disables cbc for ssh (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.7.1 + title: Ensure /etc/motd is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.7.2 + title: Ensure /etc/issue is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.7.3 + title: Ensure /etc/issue.net is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.7.4 + title: Ensure access to /etc/motd is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_etc_motd + - file_owner_etc_motd + - file_permissions_etc_motd + + - id: 1.7.5 + title: Ensure access to /etc/issue is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_etc_issue + - file_owner_etc_issue + - file_permissions_etc_issue + + - id: 1.7.6 + title: Ensure access to /etc/issue.net is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_etc_issue_net + - file_owner_etc_issue_net + - file_permissions_etc_issue_net + + - id: 1.8.1 + title: Ensure GDM login banner is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.8.2 + title: Ensure GDM disable-user-list is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.8.3 + title: Ensure GDM screen lock is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.8.4 + title: Ensure GDM automount is configured (Automated) + levels: + - l1_server + - l2_workstation + status: not applicable + + - id: 1.8.5 + title: Ensure GDM autorun-never is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 1.8.6 + title: Ensure Xwayland is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 2.1.1 + title: Ensure autofs services are not in use (Automated) + levels: + - l1_server + - l2_workstation + status: not applicable + + - id: 2.1.2 + title: Ensure avahi daemon services are not in use (Automated) + levels: + - l1_server + - l2_workstation + status: not applicable + + - id: 2.1.3 + title: Ensure cockpit web services are not in use (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 2.1.4 + title: Ensure dhcp server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_kea_removed + + - id: 2.1.5 + title: Ensure dns server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_bind_removed + + - id: 2.1.6 + title: Ensure dnsmasq services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.1.7 + title: Ensure ftp server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_vsftpd_removed + + - id: 2.1.8 + title: Ensure message access server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_dovecot_removed + - package_cyrus-imapd_removed + + - id: 2.1.9 + title: Ensure network file system services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the + nfs-utils package. + + - id: 2.1.10 + title: Ensure print server services are not in use (Automated) + levels: + - l1_server + status: not applicable + + - id: 2.1.11 + title: Ensure rpcbind services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils + package used for The Network File System (NFS), are dependent on the rpcbind package. + + - id: 2.1.12 + title: Ensure rsync services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_rsync_removed + + - id: 2.1.13 + title: Ensure samba file server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_samba_removed + + - id: 2.1.14 + title: Ensure snmp services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_net-snmp_removed + + - id: 2.1.15 + title: Ensure telnet server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_telnet-server_removed + + - id: 2.1.16 + title: Ensure tftp server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_tftp-server_removed + + - id: 2.1.17 + title: Ensure web proxy server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_squid_removed + + - id: 2.1.18 + title: Ensure web server services are not in use (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_httpd_removed + - package_nginx_removed + + - id: 2.1.19 + title: Ensure GNOME Display Manager is removed (Automated) + levels: + - l2_server + status: not applicable + + - id: 2.1.20 + title: Ensure X window server services are not in use (Automated) + levels: + - l2_server + status: automated + rules: + - package_xorg-x11-server-Xwayland_removed + + - id: 2.1.21 + title: Ensure mail transfer agents are configured for local-only mode (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.1.22 + title: Ensure only approved services are listening on a network interface (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 2.2.1 + title: Ensure ftp client is not installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_ftp_removed + + - id: 2.2.2 + title: Ensure ldap client is not installed (Automated) + levels: + - l2_server + - l2_workstation + status: automated + rules: + - package_openldap-clients_removed + + - id: 2.2.3 + title: Ensure telnet client is not installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_telnet_removed + + - id: 2.2.4 + title: Ensure tftp client is not installed (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - package_tftp_removed + + - id: 2.3.1 + title: Ensure time synchronization is in use (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.3.2 + title: Ensure chrony is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.3.3 + title: Ensure chrony is not run as the root user (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.4.1.1 + title: Ensure cron daemon is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.4.1.2 + title: Ensure access to /etc/crontab is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.4.1.3 + title: Ensure access to /etc/cron.hourly is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.4.1.4 + title: Ensure access to /etc/cron.daily is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.4.1.5 + title: Ensure access to /etc/cron.weekly is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.4.1.6 + title: Ensure access to /etc/cron.monthly is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.4.1.7 + title: Ensure access to /etc/cron.yearly is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.4.1.8 + title: Ensure access to /etc/cron.d is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.4.1.9 + title: Ensure access to crontab is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 2.4.2.1 + title: Ensure access to at is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.1.1 + title: Ensure IPv6 status is identified (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 3.1.2 + title: Ensure wireless interfaces are not available (Automated) + levels: + - l1_server + status: not applicable + + - id: 3.1.3 + title: Ensure bluetooth services are not in use (Automated) + levels: + - l1_server + - l2_workstation + status: not applicable + + - id: 3.2.1 + title: Ensure atm kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.2.2 + title: Ensure can kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.2.3 + title: Ensure dccp kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.2.4 + title: Ensure tipc kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.2.5 + title: Ensure rds kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.2.6 + title: Ensure sctp kernel module is not available (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.1 + title: Ensure net.ipv4.ip_forward is configured (Automated) + levels: + - l1_workstation + - l2_server + status: not applicable + + - id: 3.3.1.2 + title: Ensure net.ipv4.conf.all.forwarding is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.3 + title: Ensure net.ipv4.conf.default.forwarding is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.4 + title: Ensure net.ipv4.conf.all.send_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.5 + title: Ensure net.ipv4.conf.default.send_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.6 + title: Ensure net.ipv4.icmp_ignore_bogus_error_responses is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.7 + title: Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.8 + title: Ensure net.ipv4.conf.all.accept_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.9 + title: Ensure net.ipv4.conf.default.accept_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.10 + title: Ensure net.ipv4.conf.all.secure_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.11 + title: Ensure net.ipv4.conf.default.secure_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.12 + title: Ensure net.ipv4.conf.all.rp_filter is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.13 + title: Ensure net.ipv4.conf.default.rp_filter is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.14 + title: Ensure net.ipv4.conf.all.accept_source_route is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.15 + title: Ensure net.ipv4.conf.default.accept_source_route is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.16 + title: Ensure net.ipv4.conf.all.log_martians is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.17 + title: Ensure net.ipv4.conf.default.log_martians is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.1.18 + title: Ensure net.ipv4.tcp_syncookies is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.2.1 + title: Ensure net.ipv6.conf.all.forwarding is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.2.2 + title: Ensure net.ipv6.conf.default.forwarding is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.2.3 + title: Ensure net.ipv6.conf.all.accept_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.2.4 + title: Ensure net.ipv6.conf.default.accept_redirects is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.2.5 + title: Ensure net.ipv6.conf.all.accept_source_route is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.2.6 + title: Ensure net.ipv6.conf.default.accept_source_route is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.2.7 + title: Ensure net.ipv6.conf.all.accept_ra is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 3.3.2.8 + title: Ensure net.ipv6.conf.default.accept_ra is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 4.1.1 + title: Ensure firewalld is installed (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 4.1.2 + title: Ensure firewalld backend is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 4.1.3 + title: Ensure firewalld.service is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 4.1.4 + title: Ensure firewalld active zone target is configured (Automated) + levels: + - l1_server + - l1_workstation + status: pending + notes: |- + There is not an easy way to do this for only active zones using OVAL. + For now, there are are no rules for this control. + + - id: 4.1.5 + title: Ensure firewalld loopback traffic is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + Firewalld in Red Hat Enterprise Linux 10 accepts loopback traffic by default. + + - id: 4.1.6 + title: Ensure firewalld loopback source address traffic is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 4.1.7 + title: Ensure firewalld services and ports are configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 5.1.1 + title: Ensure access to /etc/ssh/sshd_config is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.2 + title: Ensure access to SSH private host key files is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.3 + title: Ensure access to SSH public host key files is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.4 + title: Ensure sshd access is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.5 + title: Ensure sshd Banner is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.6 + title: Ensure sshd Ciphers are configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.7 + title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + The requirement gives an example of 45 seconds, but is flexible about the values. It is only + necessary to ensure there is a timeout configured in alignment to the site policy. + + - id: 5.1.8 + title: Ensure sshd DisableForwarding is enabled (Automated) + levels: + - l1_workstation + - l2_server + status: not applicable + + - id: 5.1.9 + title: Ensure sshd GSSAPIAuthentication is disabled (Automated) + levels: + - l1_workstation + - l2_server + status: not applicable + + - id: 5.1.10 + title: Ensure sshd HostbasedAuthentication is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.11 + title: Ensure sshd IgnoreRhosts is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.12 + title: Ensure sshd KexAlgorithms is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + This CIS requirement shall be notapplicable on RHEL 10. The CIS + Benchmark requires disabling the weak SHA1 key exchange algorithms, + but RHEL 10 doesn't provide these algorithms. + + - id: 5.1.13 + title: Ensure sshd LoginGraceTime is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.14 + title: Ensure sshd LogLevel is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + The CIS benchmark is not opinionated about which loglevel is selected here. Here, this + profile uses VERBOSE by default, as it allows for the capture of login and logout activity + as well as key fingerprints. + + - id: 5.1.15 + title: Ensure sshd MACs are configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.16 + title: Ensure sshd MaxAuthTries is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.17 + title: Ensure sshd MaxStartups is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.18 + title: Ensure sshd MaxSessions is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.19 + title: Ensure sshd PermitEmptyPasswords is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.20 + title: Ensure sshd PermitRootLogin is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.21 + title: Ensure sshd PermitUserEnvironment is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.1.22 + title: Ensure sshd UsePAM is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.2.1 + title: Ensure sudo is installed (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.2.2 + title: Ensure sudo commands use pty (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.2.3 + title: Ensure sudo log file exists (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.2.4 + title: Ensure users must provide password for escalation (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 5.2.5 + title: Ensure re-authentication for privilege escalation is not disabled globally (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.2.6 + title: Ensure sudo timestamp_timeout is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.2.7 + title: Ensure access to the su command is restricted (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + Members of "wheel" or GID 0 groups are checked by default if the group option is not set for + pam_wheel.so module. The recommendation states the group should be empty to reinforce the + use of "sudo" for privileged access. Therefore, members of these groups should be manually + checked or a different group should be informed. + + - id: 5.3.1.1 + title: Ensure active authselect profile includes pam modules (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + This rule verifies that the active authselect profile includes the required PAM modules: + pam_pwquality.so, pam_pwhistory.so, pam_faillock.so, and pam_unix.so in both system-auth + and password-auth files. The rule checks the authselect profile source files directly, + not the symlinked files in /etc/pam.d/. Other rules ensure these modules are properly + configured with correct options. + + - id: 5.3.1.2 + title: Ensure pam_faillock module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: This requirement is also indirectly satisfied by the requirement 5.3.2.1. + + - id: 5.3.1.3 + title: Ensure pam_pwquality module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: This requirement is also indirectly satisfied by the requirement 5.3.2.2. + + - id: 5.3.1.4 + title: Ensure pam_pwhistory module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + The module is properly enabled by the rules mentioned in related_rules. + Requirements in 5.3.2.3 use these rules. + + - id: 5.3.1.5 + title: Ensure pam_unix module is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.3.2.1.1 + title: Ensure password failed attempts lockout is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.3.2.1.2 + title: Ensure password unlock time is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + The policy also accepts value 0, which means the locked accounts should be manually unlocked + by an administrator. However, it also mentions that using value 0 can facilitate a DoS + attack to legitimate users. + + - id: 5.3.2.1.3 + title: Ensure password failed attempts lockout includes root account (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 5.3.2.2.1 + title: Ensure password number of changed characters is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.3.2.2.2 + title: Ensure password length is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.3.2.2.3 + title: Ensure password complexity is configured (Manual) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + This requirement is expected to be manual. However, in previous versions of the policy + it was already automated the configuration of "minclass" option. This posture was kept for + RHEL 10 in this new version. Rules related to other options are informed in related_rules. + In short, minclass=4 alone can achieve the same result achieved by the combination of the + other 4 options mentioned in the policy. + + - id: 5.3.2.2.4 + title: Ensure password same consecutive characters is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.3.2.2.5 + title: Ensure password maximum sequential characters is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.3.2.2.6 + title: Ensure password dictionary check is enabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.3.2.2.7 + title: Ensure password quality is enforced for the root user (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.3.2.3.1 + title: Ensure password history remember is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + Although mentioned in the section 5.3.3.3, there is no explicit requirement to configure + retry option of pam_pwhistory. If come in the future, the rule accounts_password_pam_retry + can be used. + + - id: 5.3.2.3.2 + title: Ensure password history is enforced for the root user (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.3.2.3.3 + title: Ensure pam_pwhistory includes use_authtok (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + In RHEL 10 pam_pwhistory is enabled via authselect feature, as required in 5.3.1.4. The + feature automatically set "use_authok" option. In any case, we don't have a rule to check + this option specifically. + + - id: 5.3.2.4.1 + title: Ensure pam_unix does not include nullok (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: The rule more specifically used in this requirement also satify the requirement 5.3.1.5. + + - id: 5.3.2.4.2 + title: Ensure pam_unix does not include remember (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + Usage of pam_unix.so module together with "remember" option is deprecated and is not + recommended by this policy. Instead, it should be used remember option of pam_pwhistory + module, as required in 5.3.2.3.1. See here for more details about pam_unix.so: + https://bugzilla.redhat.com/show_bug.cgi?id=1778929 + + - id: 5.3.2.4.3 + title: Ensure pam_unix includes a strong password hashing algorithm (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: Changes in logindefs mentioned in this requirement are more specifically covered by 5.4.1.4 + + - id: 5.3.2.4.4 + title: Ensure pam_unix includes use_authtok (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: |- + In RHEL 10 pam_unix is enabled by default in all authselect profiles already with the + use_authtok option set. In any case, we don't have a rule to check this option specifically, + like in 5.3.2.3.3. + + - id: 5.4.1.1 + title: Ensure password expiration is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.1.2 + title: Ensure minimum password days is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 5.4.1.3 + title: Ensure password expiration warning days is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.1.4 + title: Ensure strong password hashing algorithm is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.1.5 + title: Ensure inactive password lock is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.1.6 + title: Ensure all users last password change date is in the past (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.2.1 + title: Ensure root is the only UID 0 account (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.2.2 + title: Ensure root is the only GID 0 account (Automated) + levels: + - l1_server + - l1_workstation + status: partial + notes: |- + There is assessment but no automated remediation for this rule and this sounds reasonable. + + - id: 5.4.2.3 + title: Ensure group root is the only GID 0 group (Automated) + levels: + - l1_server + - l1_workstation + status: automated + notes: |- + There is assessment but no automated remediation for this rule and this sounds reasonable. + rules: + - groups_no_zero_gid_except_root + + - id: 5.4.2.4 + title: Ensure root account access is controlled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.2.5 + title: Ensure root path integrity (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - accounts_root_path_dirs_no_write + - root_path_no_dot + + - id: 5.4.2.6 + title: Ensure root user umask is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.2.7 + title: Ensure system accounts do not have a valid login shell (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.2.8 + title: Ensure accounts without a valid login shell are locked (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.3.1 + title: Ensure nologin is not listed in /etc/shells (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 5.4.3.2 + title: Ensure default user shell timeout is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 5.4.3.3 + title: Ensure default user umask is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.1.1 + title: Ensure AIDE is installed (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.1.2 + title: Ensure filesystem integrity is regularly checked (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.1.3 + title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.2.1.1 + title: Ensure journald service is active (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.2.1.2 + title: Ensure journald log file access is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.2.1.3 + title: Ensure journald log file rotation is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.2.1.4 + title: Ensure only one logging system is in use (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.2.2.1.1 + title: Ensure systemd-journal-remote is installed (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.2.2.1.2 + title: Ensure systemd-journal-upload authentication is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.2.2.1.3 + title: Ensure systemd-journal-upload is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.2.2.1.4 + title: Ensure systemd-journal-remote service is not in use (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.2.2.2 + title: Ensure journald ForwardToSyslog is disabled (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.2.2.3 + title: Ensure journald Compress is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.2.2.4 + title: Ensure journald Storage is configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 6.2.3.1 + title: Ensure rsyslog is installed (Automated) + levels: + - l1_server + - l1_workstation + status: supported + + - id: 6.2.3.2 + title: Ensure rsyslog service is enabled and active (Automated) + levels: + - l1_server + - l1_workstation + status: supported + + - id: 6.2.3.3 + title: Ensure journald is configured to send logs to rsyslog (Automated) + levels: + - l1_server + - l1_workstation + status: supported + + - id: 6.2.3.4 + title: Ensure rsyslog log file creation mode is configured (Automated) + levels: + - l1_server + - l1_workstation + status: supported + + - id: 6.2.3.5 + title: Ensure rsyslog logging is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.2.3.6 + title: Ensure rsyslog is configured to send logs to a remote log host (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.2.3.7 + title: Ensure rsyslog is not configured to receive logs from a remote client (Automated) + levels: + - l1_server + - l1_workstation + status: supported + + - id: 6.2.3.8 + title: Ensure rsyslog logrotate is configured (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 6.2.4.1 + title: Ensure access to all logfiles has been configured (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + notes: It is not harmful to run these rules even if rsyslog is not installed or active. + + - id: 6.3.1.1 + title: Ensure auditd packages are installed (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.1.2 + title: Ensure auditing for processes that start prior to auditd is enabled (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.1.3 + title: Ensure audit_backlog_limit is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.1.4 + title: Ensure auditd service is enabled and active (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.2.1 + title: Ensure audit log storage size is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.2.2 + title: Ensure audit logs are not automatically deleted (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.2.3 + title: Ensure system is disabled when audit logs are full (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.2.4 + title: Ensure system warns when audit logs are low on space (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.1 + title: Ensure modification of the /etc/sudoers file is collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.2 + title: Ensure actions as another user are always logged (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.3 + title: Ensure events that modify the sudo log file are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.4 + title: Ensure events that modify date and time information are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.5 + title: Ensure events that modify sethostname and setdomainname are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.6 + title: Ensure events that modify /etc/issue and /etc/issue.net are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.7 + title: Ensure events that modify /etc/hosts and /etc/hostname are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.8 + title: Ensure events that modify /etc/sysconfig/network and /etc/NetworkManager/system-connections/ are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.9 + title: Ensure events that modify /etc/NetworkManager directory are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.10 + title: Ensure use of privileged commands are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.11 + title: Ensure unsuccessful file access attempts are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.12 + title: Ensure events that modify /etc/group information are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.13 + title: Ensure events that modify /etc/passwd information are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.14 + title: Ensure events that modify /etc/shadow and /etc/gshadow are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.15 + title: Ensure events that modify /etc/security/opasswd are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.16 + title: Ensure events that modify /etc/nsswitch.conf file are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.17 + title: Ensure events that modify /etc/pam.conf and /etc/pam.d/ information are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.18 + title: Ensure discretionary access control permission modification events chmod,fchmod,fchmodat,fchmodat2 are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.19 + title: Ensure discretionary access control permission modification events chown,fchown,lchown,fchownat are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.20 + title: Ensure discretionary access control permission modification events setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.21 + title: Ensure successful file system mounts are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.22 + title: Ensure session initiation information is collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.23 + title: Ensure login and logout events are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.24 + title: Ensure unlink file deletion events by users are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.25 + title: Ensure rename file deletion events by users are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.26 + title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.27 + title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.28 + title: Ensure successful and unsuccessful attempts to use the setfacl command are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.29 + title: Ensure successful and unsuccessful attempts to use the chacl command are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.30 + title: Ensure successful and unsuccessful attempts to use the usermod command are collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.31 + title: Ensure kernel module loading unloading and modification is collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.32 + title: Ensure kernel "init_module" and "finit_module" loading unloading and modification is collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.33 + title: Ensure kernel "delete_module" loading unloading and modification is collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.34 + title: Ensure kernel "query_module" loading unloading and modification is collected (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.35 + title: Ensure the audit configuration is loaded regardless of errors (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.36 + title: Ensure the audit configuration is immutable (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.3.37 + title: Ensure the running and on disk configuration is the same (Manual) + levels: + - l2_server + - l2_workstation + status: manual + + - id: 6.3.4.1 + title: Ensure the audit log file directory mode is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.4.2 + title: Ensure audit log files mode is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.4.3 + title: Ensure audit log files owner is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.4.4 + title: Ensure audit log files group owner is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.4.5 + title: Ensure audit configuration files mode is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.4.6 + title: Ensure audit configuration files owner is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.4.7 + title: Ensure audit configuration files group owner is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.4.8 + title: Ensure audit tools mode is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.4.9 + title: Ensure audit tools owner is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 6.3.4.10 + title: Ensure audit tools group owner is configured (Automated) + levels: + - l2_server + - l2_workstation + status: not applicable + + - id: 7.1.1 + title: Ensure access to /etc/passwd is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_etc_passwd + - file_owner_etc_passwd + - file_permissions_etc_passwd + + - id: 7.1.2 + title: Ensure access to /etc/passwd- is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_backup_etc_passwd + - file_owner_backup_etc_passwd + - file_permissions_backup_etc_passwd + + - id: 7.1.3 + title: Ensure access to /etc/group is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_etc_group + - file_owner_etc_group + - file_permissions_etc_group + + - id: 7.1.4 + title: Ensure access to /etc/group- is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_backup_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_group + + - id: 7.1.5 + title: Ensure access to /etc/shadow is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_permissions_etc_shadow + + - id: 7.1.6 + title: Ensure access to /etc/shadow- is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_backup_etc_shadow + - file_owner_backup_etc_shadow + - file_permissions_backup_etc_shadow + + - id: 7.1.7 + title: Ensure access to /etc/gshadow is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_etc_gshadow + - file_owner_etc_gshadow + - file_permissions_etc_gshadow + + - id: 7.1.8 + title: Ensure access to /etc/gshadow- is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_gshadow + - file_permissions_backup_etc_gshadow + + - id: 7.1.9 + title: Ensure access to /etc/shells is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_etc_shells + - file_owner_etc_shells + - file_permissions_etc_shells + + - id: 7.1.10 + title: Ensure access to /etc/security/opasswd is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_groupowner_etc_security_opasswd + - file_owner_etc_security_opasswd + - file_permissions_etc_security_opasswd + - file_groupowner_etc_security_opasswd_old + - file_owner_etc_security_opasswd_old + - file_permissions_etc_security_opasswd_old + + - id: 7.1.11 + title: Ensure world writable files and directories are secured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_permissions_unauthorized_world_writable + - dir_perms_world_writable_sticky_bits + + - id: 7.1.12 + title: Ensure no files or directories without an owner and a group exist (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - no_files_or_dirs_ungroupowned + + - id: 7.1.13 + title: Ensure SUID and SGID files are reviewed (Manual) + levels: + - l1_server + - l1_workstation + status: manual + + - id: 7.2.1 + title: Ensure accounts in /etc/passwd use shadowed passwords (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 7.2.2 + title: Ensure /etc/shadow password fields are not empty (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 7.2.3 + title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - gid_passwd_group_same + + - id: 7.2.4 + title: Ensure no duplicate UIDs exist (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 7.2.5 + title: Ensure no duplicate GIDs exist (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 7.2.6 + title: Ensure no duplicate user names exist (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 7.2.7 + title: Ensure no duplicate group names exist (Automated) + levels: + - l1_server + - l1_workstation + status: not applicable + + - id: 7.2.8 + title: Ensure local interactive user home directories are configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_ownership_home_directories + - file_permissions_home_directories + + - id: 7.2.9 + title: Ensure local interactive user dot files access is configured (Automated) + levels: + - l1_server + - l1_workstation + status: automated + rules: + - file_permission_user_init_files + - var_user_initialization_files_regex=all_dotfiles + - file_permission_user_bash_history diff --git a/products/hummingbird/controls/stig_hummingbird.yml b/products/hummingbird/controls/stig_hummingbird.yml new file mode 100644 index 000000000000..3dc2763fbe37 --- /dev/null +++ b/products/hummingbird/controls/stig_hummingbird.yml @@ -0,0 +1,1286 @@ +--- +policy: 'Red Hat Hummingbird Security Technical Implementation Guide' +title: 'Red Hat Hummingbird Security Technical Implementation Guide' +id: stig_hummingbird +source: https://www.cyber.mil/stigs/downloads/ +version: vendor +reference_type: stigid +product: hummingbird + +levels: + - id: high + - id: medium + - id: low + +controls: + - id: SRG-OS-000001-GPOS-00001 + levels: + - medium + title: 'Red Hat Hummingbird must provide automated mechanisms for supporting account management functions.' + status: does not meet + + - id: SRG-OS-000002-GPOS-00002 + levels: + - medium + title: 'Red Hat Hummingbird must automatically remove or disable temporary user accounts after 72 hours.' + status: not applicable + + - id: SRG-OS-000004-GPOS-00004 + levels: + - medium + title: 'Red Hat Hummingbird must audit all account creations.' + status: not applicable + + - id: SRG-OS-000021-GPOS-00005 + levels: + - medium + title: 'Red Hat Hummingbird must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.' + status: not applicable + + - id: SRG-OS-000023-GPOS-00006 + levels: + - medium + title: 'Red Hat Hummingbird must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system.' + status: not applicable + + - id: SRG-OS-000024-GPOS-00007 + levels: + - medium + title: 'Red Hat Hummingbird must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.' + status: does not meet + + - id: SRG-OS-000027-GPOS-00008 + levels: + - low + title: 'Red Hat Hummingbird must limit the number of concurrent sessions to ten for all accounts and/or account types.' + status: not applicable + + - id: SRG-OS-000032-GPOS-00013 + levels: + - medium + title: 'Red Hat Hummingbird must monitor remote access methods.' + status: not applicable + + - id: SRG-OS-000033-GPOS-00014 + levels: + - high + title: 'Red Hat Hummingbird must implement DoD-approved encryption to protect the confidentiality of remote access sessions.' + status: not applicable + + - id: SRG-OS-000038-GPOS-00016 + levels: + - medium + title: 'Red Hat Hummingbird must produce audit records containing information to establish when (date and time) the events occurred.' + status: not applicable + + - id: SRG-OS-000039-GPOS-00017 + levels: + - medium + title: 'Red Hat Hummingbird must produce audit records containing information to establish where the events occurred.' + status: not applicable + + - id: SRG-OS-000040-GPOS-00018 + levels: + - medium + title: 'Red Hat Hummingbird must produce audit records containing information to establish the source of the events.' + status: not applicable + + - id: SRG-OS-000041-GPOS-00019 + levels: + - medium + title: 'Red Hat Hummingbird must produce audit records containing information to establish the outcome of the events.' + status: not applicable + + - id: SRG-OS-000042-GPOS-00021 + levels: + - medium + title: 'Red Hat Hummingbird must produce audit records containing the individual identities of group account users.' + status: not applicable + + - id: SRG-OS-000046-GPOS-00022 + levels: + - medium + title: 'Red Hat Hummingbird must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.' + status: not applicable + + - id: SRG-OS-000051-GPOS-00024 + levels: + - medium + title: 'Red Hat Hummingbird must provide the capability to centrally review and analyze audit records from multiple components within the system.' + status: not applicable + + - id: SRG-OS-000054-GPOS-00025 + levels: + - medium + title: 'Red Hat Hummingbird must provide the capability to filter audit records for events of interest based upon all audit fields within audit records.' + status: not applicable + + - id: SRG-OS-000055-GPOS-00026 + levels: + - medium + title: 'Red Hat Hummingbird must use internal system clocks to generate time stamps for audit records.' + status: inherently met + + - id: SRG-OS-000063-GPOS-00032 + levels: + - medium + title: 'Red Hat Hummingbird must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.' + status: not applicable + + - id: SRG-OS-000066-GPOS-00034 + levels: + - medium + title: 'Red Hat Hummingbird, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.' + status: manual + + - id: SRG-OS-000067-GPOS-00035 + levels: + - medium + title: 'Red Hat Hummingbird, for PKI-based authentication, must enforce authorized access to the corresponding private key.' + status: manual + + - id: SRG-OS-000068-GPOS-00036 + levels: + - medium + title: 'Red Hat Hummingbird must map the authenticated identity to the user or group account for PKI-based authentication.' + status: not applicable + + - id: SRG-OS-000070-GPOS-00038 + levels: + - medium + title: 'Red Hat Hummingbird must enforce password complexity by requiring that at least one lowercase character be used.' + status: not applicable + + - id: SRG-OS-000071-GPOS-00039 + levels: + - medium + title: 'Red Hat Hummingbird must enforce password complexity by requiring that at least one numeric character be used.' + status: not applicable + + - id: SRG-OS-000072-GPOS-00040 + levels: + - medium + title: 'Red Hat Hummingbird must require the change of at least 50 percent of the total number of characters when passwords are changed.' + status: not applicable + + - id: SRG-OS-000074-GPOS-00042 + levels: + - high + title: 'Red Hat Hummingbird must transmit only encrypted representations of passwords.' + status: automated + rules: + - package_tftp_removed + - package_vsftpd_removed + - package_telnet-server_removed + + - id: SRG-OS-000075-GPOS-00043 + levels: + - medium + title: 'Red Hat Hummingbird must enforce 24 hours/1 day as the minimum password lifetime.' + status: not applicable + + - id: SRG-OS-000078-GPOS-00046 + levels: + - medium + title: 'Red Hat Hummingbird must enforce a minimum 15-character password length.' + status: not applicable + + - id: SRG-OS-000079-GPOS-00047 + levels: + - medium + title: 'Red Hat Hummingbird must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.' + status: inherently met + + - id: SRG-OS-000096-GPOS-00050 + levels: + - medium + title: 'Red Hat Hummingbird must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.' + status: not applicable + + - id: SRG-OS-000104-GPOS-00051 + levels: + - medium + title: 'Red Hat Hummingbird must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).' + status: automated + rules: + - gid_passwd_group_same + + - id: SRG-OS-000105-GPOS-00052 + levels: + - medium + title: 'Red Hat Hummingbird must use multifactor authentication for network access to privileged accounts.' + status: not applicable + + - id: SRG-OS-000106-GPOS-00053 + levels: + - medium + title: 'Red Hat Hummingbird must use multifactor authentication for network access to non-privileged accounts.' + status: not applicable + + - id: SRG-OS-000107-GPOS-00054 + levels: + - medium + title: 'Red Hat Hummingbird must use multifactor authentication for local access to privileged accounts.' + status: not applicable + + - id: SRG-OS-000108-GPOS-00055 + levels: + - medium + title: 'Red Hat Hummingbird must use multifactor authentication for local access to nonprivileged accounts.' + status: not applicable + + - id: SRG-OS-000109-GPOS-00056 + levels: + - medium + title: 'Red Hat Hummingbird must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.' + status: not applicable + + - id: SRG-OS-000112-GPOS-00057 + levels: + - medium + title: 'Red Hat Hummingbird must implement replay-resistant authentication mechanisms for network access to privileged accounts.' + status: inherently met + + - id: SRG-OS-000113-GPOS-00058 + levels: + - medium + title: 'Red Hat Hummingbird must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.' + status: inherently met + + - id: SRG-OS-000114-GPOS-00059 + levels: + - medium + title: 'Red Hat Hummingbird must uniquely identify peripherals before establishing a connection.' + status: not applicable + + - id: SRG-OS-000118-GPOS-00060 + levels: + - medium + title: 'Red Hat Hummingbird must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.' + status: not applicable + + - id: SRG-OS-000121-GPOS-00062 + levels: + - medium + title: 'Red Hat Hummingbird must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).' + status: not applicable + + - id: SRG-OS-000122-GPOS-00063 + levels: + - medium + title: 'Red Hat Hummingbird must provide an audit reduction capability that supports on-demand reporting requirements.' + status: not applicable + + - id: SRG-OS-000123-GPOS-00064 + levels: + - medium + title: 'The information system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.' + status: not applicable + + - id: SRG-OS-000125-GPOS-00065 + levels: + - high + title: 'Red Hat Hummingbird must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.' + status: not applicable + + - id: SRG-OS-000132-GPOS-00067 + levels: + - medium + title: 'Red Hat Hummingbird must separate user functionality (including user interface services) from operating system management functionality.' + status: inherently met + + - id: SRG-OS-000138-GPOS-00069 + levels: + - medium + title: 'Operating systems must prevent unauthorized and unintended information transfer via shared system resources.' + status: automated + rules: + - dir_perms_world_writable_root_owned + - dir_perms_world_writable_sticky_bits + + - id: SRG-OS-000142-GPOS-00071 + levels: + - medium + title: 'Red Hat Hummingbird must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.' + status: not applicable + + - id: SRG-OS-000184-GPOS-00078 + levels: + - medium + title: 'Red Hat Hummingbird must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.' + status: inherently met + + - id: SRG-OS-000185-GPOS-00079 + levels: + - medium + title: 'Red Hat Hummingbird must protect the confidentiality and integrity of all information at rest.' + status: not applicable + + - id: SRG-OS-000205-GPOS-00083 + levels: + - medium + title: 'Red Hat Hummingbird must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.' + status: inherently met + + - id: SRG-OS-000206-GPOS-00084 + levels: + - medium + title: 'Red Hat Hummingbird must reveal error messages only to authorized users.' + status: automated + rules: + - file_permissions_var_log_messages + - file_groupowner_var_log + - file_owner_var_log_messages + - file_groupowner_var_log_messages + - file_owner_var_log + - file_permissions_var_log + + - id: SRG-OS-000239-GPOS-00089 + levels: + - medium + title: 'Red Hat Hummingbird must audit all account modifications.' + status: not applicable + + - id: SRG-OS-000240-GPOS-00090 + levels: + - medium + title: 'Red Hat Hummingbird must audit all account disabling actions.' + status: not applicable + + - id: SRG-OS-000241-GPOS-00091 + levels: + - medium + title: 'Red Hat Hummingbird must audit all account removal actions.' + status: not applicable + + - id: SRG-OS-000255-GPOS-00096 + levels: + - medium + title: 'Red Hat Hummingbird must produce audit records containing information to establish the identity of any individual or process associated with the event.' + status: not applicable + + - id: SRG-OS-000256-GPOS-00097 + levels: + - medium + title: 'Red Hat Hummingbird must protect audit tools from unauthorized access.' + status: not applicable + + - id: SRG-OS-000257-GPOS-00098 + levels: + - medium + title: 'Red Hat Hummingbird must protect audit tools from unauthorized modification.' + status: not applicable + + - id: SRG-OS-000258-GPOS-00099 + levels: + - medium + title: 'Red Hat Hummingbird must protect audit tools from unauthorized deletion.' + status: not applicable + + - id: SRG-OS-000259-GPOS-00100 + levels: + - medium + title: 'Red Hat Hummingbird must limit privileges to change software resident within software libraries.' + status: automated + rules: + - dir_group_ownership_library_dirs + - file_groupownership_system_commands_dirs + - root_permissions_syslibrary_files + - dir_ownership_library_dirs + - dir_permissions_library_dirs + - file_ownership_binary_dirs + - file_permissions_library_dirs + - file_permissions_binary_dirs + - file_ownership_library_dirs + + - id: SRG-OS-000266-GPOS-00101 + levels: + - medium + title: 'Red Hat Hummingbird must enforce password complexity by requiring that at least one special character be used.' + status: not applicable + + - id: SRG-OS-000274-GPOS-00104 + levels: + - medium + title: 'Red Hat Hummingbird must notify system administrators and ISSOs when accounts are created.' + status: does not meet + + - id: SRG-OS-000275-GPOS-00105 + levels: + - medium + title: 'Red Hat Hummingbird must notify system administrators and ISSOs when accounts are modified.' + status: does not meet + + - id: SRG-OS-000276-GPOS-00106 + levels: + - medium + title: 'Red Hat Hummingbird must notify system administrators and ISSOs when accounts are disabled.' + status: does not meet + + - id: SRG-OS-000277-GPOS-00107 + levels: + - medium + title: 'Red Hat Hummingbird must notify system administrators and ISSOs when accounts are removed.' + status: does not meet + + - id: SRG-OS-000278-GPOS-00108 + levels: + - high + title: 'Red Hat Hummingbird must use cryptographic mechanisms to protect the integrity of audit tools.' + status: not applicable + + - id: SRG-OS-000279-GPOS-00109 + levels: + - medium + title: 'Red Hat Hummingbird must automatically terminate a user session after inactivity time-outs have expired or at shutdown.' + status: not applicable + + - id: SRG-OS-000280-GPOS-00110 + levels: + - medium + title: 'Red Hat Hummingbird must provide a logoff capability for user-initiated communications sessions when requiring user access authentication.' + status: inherently met + + - id: SRG-OS-000281-GPOS-00111 + levels: + - medium + title: 'Red Hat Hummingbird must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.' + status: inherently met + + - id: SRG-OS-000297-GPOS-00115 + levels: + - medium + title: 'Red Hat Hummingbird must control remote access methods.' + status: not applicable + + - id: SRG-OS-000298-GPOS-00116 + levels: + - medium + title: 'Red Hat Hummingbird must provide the capability to immediately disconnect or disable remote access to the operating system.' + status: inherently met + + - id: SRG-OS-000299-GPOS-00117 + levels: + - medium + title: 'Red Hat Hummingbird must protect wireless access to and from the system using encryption.' + status: not applicable + + - id: SRG-OS-000300-GPOS-00118 + levels: + - medium + title: 'Red Hat Hummingbird must protect wireless access to the system using authentication of users and/or devices.' + status: not applicable + + - id: SRG-OS-000303-GPOS-00120 + levels: + - medium + title: 'Red Hat Hummingbird must audit all account enabling actions.' + status: not applicable + + - id: SRG-OS-000304-GPOS-00121 + levels: + - medium + title: 'Red Hat Hummingbird must notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.' + status: not applicable + + - id: SRG-OS-000312-GPOS-00122 + levels: + - medium + title: 'Red Hat Hummingbird must allow operating system admins to pass information to any other operating system admin or user.' + status: inherently met + + - id: SRG-OS-000312-GPOS-00123 + levels: + - medium + title: 'Red Hat Hummingbird must allow operating system admins to grant their privileges to other operating system admins.' + status: not applicable + + - id: SRG-OS-000312-GPOS-00124 + levels: + - medium + title: 'Red Hat Hummingbird must allow operating system admins to change security attributes on users, the operating system, or the operating systems components.' + status: inherently met + + - id: SRG-OS-000326-GPOS-00126 + levels: + - medium + title: 'Red Hat Hummingbird must prevent all software from executing at higher privilege levels than users executing the software.' + status: not applicable + + - id: SRG-OS-000327-GPOS-00127 + levels: + - medium + title: 'Red Hat Hummingbird must audit the execution of privileged functions.' + status: not applicable + + - id: SRG-OS-000329-GPOS-00128 + levels: + - medium + title: 'Red Hat Hummingbird must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.' + status: not applicable + + - id: SRG-OS-000337-GPOS-00129 + levels: + - medium + title: 'Red Hat Hummingbird must provide the capability for assigned IMOs/ISSOs or designated SAs to change the auditing to be performed on all operating system components, based on all selectable event criteria in near real time.' + status: not applicable + + - id: SRG-OS-000342-GPOS-00133 + levels: + - low + title: 'Red Hat Hummingbird must offload audit records onto a different system or media from the system being audited.' + status: not applicable + + - id: SRG-OS-000343-GPOS-00134 + levels: + - low + title: 'Red Hat Hummingbird must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.' + status: not applicable + + - id: SRG-OS-000344-GPOS-00135 + levels: + - medium + title: 'Red Hat Hummingbird must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.' + status: does not meet + + - id: SRG-OS-000348-GPOS-00136 + levels: + - low + title: 'Red Hat Hummingbird must provide an audit reduction capability that supports on-demand audit review and analysis.' + status: not applicable + + - id: SRG-OS-000349-GPOS-00137 + levels: + - low + title: 'Red Hat Hummingbird must provide an audit reduction capability that supports after-the-fact investigations of security incidents.' + status: not applicable + + - id: SRG-OS-000350-GPOS-00138 + levels: + - low + title: 'Red Hat Hummingbird must provide a report generation capability that supports on-demand audit review and analysis.' + status: not applicable + + - id: SRG-OS-000351-GPOS-00139 + levels: + - low + title: 'Red Hat Hummingbird must provide a report generation capability that supports on-demand reporting requirements.' + status: not applicable + + - id: SRG-OS-000352-GPOS-00140 + levels: + - low + title: 'Red Hat Hummingbird must provide a report generation capability that supports after-the-fact investigations of security incidents.' + status: not applicable + + - id: SRG-OS-000353-GPOS-00141 + levels: + - medium + title: 'Red Hat Hummingbird must not alter original content or time ordering of audit records when it provides an audit reduction capability.' + status: not applicable + + - id: SRG-OS-000354-GPOS-00142 + levels: + - medium + title: 'Red Hat Hummingbird must not alter original content or time ordering of audit records when it provides a report generation capability.' + status: not applicable + + - id: SRG-OS-000356-GPOS-00144 + levels: + - medium + title: 'Red Hat Hummingbird must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.' + status: not applicable + + - id: SRG-OS-000358-GPOS-00145 + levels: + - medium + title: 'Red Hat Hummingbird must record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision.' + status: inherently met + + - id: SRG-OS-000359-GPOS-00146 + levels: + - low + title: 'Red Hat Hummingbird must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).' + status: not applicable + + - id: SRG-OS-000360-GPOS-00147 + levels: + - medium + title: 'Red Hat Hummingbird must enforce dual authorization for movement and/or deletion of all audit information, when such movement or deletion is not part of an authorized automatic process.' + status: does not meet + + - id: SRG-OS-000362-GPOS-00149 + levels: + - medium + title: 'Red Hat Hummingbird must prohibit user installation of system software without explicit privileged status.' + status: inherently met + + - id: SRG-OS-000363-GPOS-00150 + levels: + - medium + title: 'Red Hat Hummingbird must notify designated personnel if baseline configurations are changed in an unauthorized manner.' + status: not applicable + + - id: SRG-OS-000364-GPOS-00151 + levels: + - medium + title: 'Red Hat Hummingbird must enforce access restrictions.' + status: inherently met + + - id: SRG-OS-000365-GPOS-00152 + levels: + - medium + title: 'Red Hat Hummingbird must audit the enforcement actions used to restrict access associated with changes to the system.' + status: not applicable + + - id: SRG-OS-000370-GPOS-00155 + levels: + - medium + title: 'Red Hat Hummingbird must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.' + status: not applicable + + - id: SRG-OS-000376-GPOS-00161 + levels: + - medium + title: 'Red Hat Hummingbird must accept Personal Identity Verification (PIV) credentials.' + status: not applicable + + - id: SRG-OS-000377-GPOS-00162 + levels: + - medium + title: 'Red Hat Hummingbird must electronically verify Personal Identity Verification (PIV) credentials.' + status: not applicable + + - id: SRG-OS-000378-GPOS-00163 + levels: + - medium + title: 'Red Hat Hummingbird must authenticate peripherals before establishing a connection.' + status: not applicable + + - id: SRG-OS-000379-GPOS-00164 + levels: + - medium + title: 'Red Hat Hummingbird must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.' + status: not applicable + + - id: SRG-OS-000383-GPOS-00166 + levels: + - medium + title: 'Red Hat Hummingbird must prohibit the use of cached authenticators after one day.' + status: not applicable + + - id: SRG-OS-000393-GPOS-00173 + levels: + - high + title: 'Red Hat Hummingbird must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.' + status: automated + rules: + - configure_crypto_policy + - package_crypto-policies_installed + - var_system_crypto_policy=fips + + - id: SRG-OS-000394-GPOS-00174 + levels: + - high + title: 'Red Hat Hummingbird must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.' + status: automated + rules: + - configure_crypto_policy + - package_crypto-policies_installed + - var_system_crypto_policy=fips + + - id: SRG-OS-000395-GPOS-00175 + levels: + - medium + title: 'Red Hat Hummingbird must verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions, when used for nonlocal maintenance sessions.' + status: inherently met + + - id: SRG-OS-000403-GPOS-00182 + levels: + - medium + title: 'Red Hat Hummingbird must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system.' + status: does not meet + + - id: SRG-OS-000404-GPOS-00183 + levels: + - high + title: 'Red Hat Hummingbird must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components.' + status: not applicable + + - id: SRG-OS-000405-GPOS-00184 + levels: + - high + title: 'Red Hat Hummingbird must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest on all operating system components.' + status: not applicable + + - id: SRG-OS-000424-GPOS-00188 + levels: + - high + title: 'Red Hat Hummingbird must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).' + status: not applicable + + - id: SRG-OS-000425-GPOS-00189 + levels: + - medium + title: 'Red Hat Hummingbird must maintain the confidentiality and integrity of information during preparation for transmission.' + status: not applicable + + - id: SRG-OS-000426-GPOS-00190 + levels: + - medium + title: 'Red Hat Hummingbird must maintain the confidentiality and integrity of information during reception.' + status: not applicable + + - id: SRG-OS-000432-GPOS-00191 + levels: + - medium + title: 'Red Hat Hummingbird must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.' + status: inherently met + + - id: SRG-OS-000433-GPOS-00193 + levels: + - medium + title: 'Red Hat Hummingbird must implement address space layout randomization to protect its memory from unauthorized code execution.' + status: not applicable + + - id: SRG-OS-000437-GPOS-00194 + levels: + - medium + title: 'Red Hat Hummingbird must remove all software components after updated versions have been installed.' + status: not applicable + + - id: SRG-OS-000446-GPOS-00200 + levels: + - medium + title: 'Red Hat Hummingbird must perform verification of the correct operation of security functions: upon system start-up and/or restart; upon command by a user with privileged access; and/or every 30 days.' + status: not applicable + + - id: SRG-OS-000447-GPOS-00201 + levels: + - medium + title: 'Red Hat Hummingbird must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.' + status: not applicable + + - id: SRG-OS-000458-GPOS-00203 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful attempts to access security objects occur.' + status: not applicable + + - id: SRG-OS-000461-GPOS-00205 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.' + status: not applicable + + - id: SRG-OS-000463-GPOS-00207 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful attempts to modify security objects occur.' + status: not applicable + + - id: SRG-OS-000465-GPOS-00209 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.' + status: not applicable + + - id: SRG-OS-000470-GPOS-00214 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful logon attempts occur.' + status: not applicable + + - id: SRG-OS-000471-GPOS-00216 + levels: + - medium + title: 'The audit system must be configured to audit the loading and unloading of dynamic kernel modules.' + status: not applicable + + - id: SRG-OS-000472-GPOS-00217 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records showing starting and ending time for user access to the system.' + status: inherently met + + - id: SRG-OS-000473-GPOS-00218 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when concurrent logons to the same account occur from different sources.' + status: not applicable + + - id: SRG-OS-000474-GPOS-00219 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful accesses to objects occur.' + status: not applicable + + - id: SRG-OS-000475-GPOS-00220 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records for all direct access to the information system.' + status: not applicable + + - id: SRG-OS-000476-GPOS-00221 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records for all account creations, modifications, disabling, and termination events.' + status: not applicable + + - id: SRG-OS-000477-GPOS-00222 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.' + status: not applicable + + - id: SRG-OS-000479-GPOS-00224 + levels: + - medium + title: 'Red Hat Hummingbird must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly.' + status: not applicable + + - id: SRG-OS-000480-GPOS-00225 + levels: + - medium + title: 'Red Hat Hummingbird must prevent the use of dictionary words for passwords.' + status: not applicable + + - id: SRG-OS-000480-GPOS-00226 + levels: + - medium + title: 'Red Hat Hummingbird must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.' + status: not applicable + + - id: SRG-OS-000480-GPOS-00228 + levels: + - medium + title: 'Red Hat Hummingbird must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.' + status: not applicable + + - id: SRG-OS-000480-GPOS-00229 + levels: + - high + title: 'Red Hat Hummingbird must not allow an unattended or automatic logon to the system.' + status: not applicable + + - id: SRG-OS-000480-GPOS-00232 + levels: + - medium + title: 'Red Hat Hummingbird must enable an application firewall, if available.' + status: not applicable + + - id: SRG-OS-000481-GPOS-00481 + levels: + - high + title: 'Red Hat Hummingbird must protect the confidentiality and integrity of communications with wireless peripherals.' + status: not applicable + + - id: SRG-OS-000755-GPOS-00220 + levels: + - medium + title: 'Red Hat Hummingbird must monitor the use of maintenance tools that execute with increased privilege.' + status: not applicable + + - id: SRG-OS-000057-GPOS-00027 + levels: + - medium + title: 'Red Hat Hummingbird must protect audit information from unauthorized read access.' + status: not applicable + + - id: SRG-OS-000058-GPOS-00028 + levels: + - medium + title: 'Red Hat Hummingbird must protect audit information from unauthorized modification.' + status: not applicable + + - id: SRG-OS-000059-GPOS-00029 + levels: + - medium + title: 'Red Hat Hummingbird must protect audit information from unauthorized deletion.' + status: not applicable + + - id: SRG-OS-000069-GPOS-00037 + levels: + - medium + title: 'Red Hat Hummingbird must enforce password complexity by requiring that at least one uppercase character be used.' + status: not applicable + + - id: SRG-OS-000076-GPOS-00044 + levels: + - medium + title: 'Red Hat Hummingbird must enforce a 60-day maximum password lifetime restriction.' + status: not applicable + + - id: SRG-OS-000120-GPOS-00061 + levels: + - medium + title: 'Red Hat Hummingbird must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.' + status: not applicable + + - id: SRG-OS-000355-GPOS-00143 + levels: + - medium + title: 'Red Hat Hummingbird must, for networked systems, compare internal information system clocks at least every 24 hours with an authoritative time source.' + status: not applicable + + - id: SRG-OS-000375-GPOS-00160 + levels: + - medium + title: 'Red Hat Hummingbird must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.' + status: not applicable + + - id: SRG-OS-000478-GPOS-00223 + levels: + - high + title: 'Red Hat Hummingbird must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.' + status: automated + rules: + - configure_crypto_policy + - package_crypto-policies_installed + - var_system_crypto_policy=fips + + - id: SRG-OS-000028-GPOS-00009 + levels: + - high + title: 'Red Hat Hummingbird must retain a users session lock until that user reestablishes access using established identification and authentication procedures.' + status: not applicable + + - id: SRG-OS-000029-GPOS-00010 + levels: + - medium + title: 'Red Hat Hummingbird must initiate a session lock after a 15-minute period of inactivity for all connection types.' + status: not applicable + + - id: SRG-OS-000030-GPOS-00011 + levels: + - medium + title: 'Red Hat Hummingbird must provide the capability for users to directly initiate a session lock for all connection types.' + status: not applicable + + - id: SRG-OS-000031-GPOS-00012 + levels: + - medium + title: 'Red Hat Hummingbird must conceal, via the session lock, information previously visible on the display with a publicly viewable image.' + status: not applicable + + - id: SRG-OS-000037-GPOS-00015 + levels: + - medium + title: 'Red Hat Hummingbird must produce audit records containing information to establish what type of events occurred.' + status: not applicable + + - id: SRG-OS-000042-GPOS-00020 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records containing the full-text recording of privileged commands.' + status: not applicable + + - id: SRG-OS-000062-GPOS-00031 + levels: + - medium + title: 'Red Hat Hummingbird must provide audit record generation capability for DoD-defined auditable events for all operating system components.' + status: not applicable + + - id: SRG-OS-000064-GPOS-00033 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful attempts to access privileges occur.' + status: not applicable + + - id: SRG-OS-000073-GPOS-00041 + levels: + - high + title: 'Red Hat Hummingbird must store only encrypted representations of passwords.' + status: not applicable + + - id: SRG-OS-000080-GPOS-00048 + levels: + - medium + title: 'Red Hat Hummingbird must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.' + status: not applicable + + - id: SRG-OS-000095-GPOS-00049 + levels: + - medium + title: 'Red Hat Hummingbird must be configured to disable non-essential capabilities.' + status: not applicable + + - id: SRG-OS-000134-GPOS-00068 + levels: + - medium + title: 'Red Hat Hummingbird must isolate security functions from nonsecurity functions.' + status: not applicable + + - id: SRG-OS-000163-GPOS-00072 + levels: + - medium + title: 'Red Hat Hummingbird must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.' + status: not applicable + + - id: SRG-OS-000228-GPOS-00088 + levels: + - medium + title: 'Any publically accessible connection to Red Hat Hummingbird must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.' + status: not applicable + + - id: SRG-OS-000250-GPOS-00093 + levels: + - high + title: 'Red Hat Hummingbird must implement cryptography to protect the integrity of remote access sessions.' + status: not applicable + + - id: SRG-OS-000254-GPOS-00095 + levels: + - medium + title: 'Red Hat Hummingbird must initiate session audits at system start-up.' + status: not applicable + + - id: SRG-OS-000269-GPOS-00103 + levels: + - medium + title: 'In the event of a system failure, Red Hat Hummingbird must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.' + status: not applicable + + - id: SRG-OS-000324-GPOS-00125 + levels: + - high + title: 'Red Hat Hummingbird must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.' + status: not applicable + + - id: SRG-OS-000341-GPOS-00132 + levels: + - low + title: "Red Hat Hummingbird must allocate audit record storage capacity to store at least one week's worth of audit records, when audit records are not immediately sent to a central audit record storage facility." + status: not applicable + + - id: SRG-OS-000368-GPOS-00154 + levels: + - medium + title: 'Red Hat Hummingbird must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage.' + status: not applicable + + - id: SRG-OS-000373-GPOS-00156 + levels: + - medium + title: 'Red Hat Hummingbird must require users to reauthenticate for privilege escalation.' + status: not applicable + + - id: SRG-OS-000373-GPOS-00157 + levels: + - medium + title: 'Red Hat Hummingbird must require users to reauthenticate when changing roles.' + status: not applicable + + - id: SRG-OS-000373-GPOS-00158 + levels: + - medium + title: 'Red Hat Hummingbird must require users to reauthenticate when changing authenticators.' + status: not applicable + + - id: SRG-OS-000384-GPOS-00167 + levels: + - medium + title: 'Red Hat Hummingbird, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.' + status: manual + + - id: SRG-OS-000392-GPOS-00172 + levels: + - medium + title: 'Red Hat Hummingbird must audit all activities performed during nonlocal maintenance and diagnostic sessions.' + status: not applicable + + - id: SRG-OS-000396-GPOS-00176 + levels: + - high + title: 'Red Hat Hummingbird must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.' + status: automated + rules: + - configure_crypto_policy + - package_crypto-policies_installed + + - id: SRG-OS-000420-GPOS-00186 + levels: + - medium + title: 'Red Hat Hummingbird must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.' + status: not applicable + + - id: SRG-OS-000423-GPOS-00187 + levels: + - high + title: 'Red Hat Hummingbird must protect the confidentiality and integrity of transmitted information.' + status: not applicable + + - id: SRG-OS-000433-GPOS-00192 + levels: + - medium + title: 'Red Hat Hummingbird must implement non-executable data to protect its memory from unauthorized code execution.' + status: not applicable + + - id: SRG-OS-000439-GPOS-00195 + levels: + - medium + title: 'Red Hat Hummingbird must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).' + status: not applicable + + - id: SRG-OS-000445-GPOS-00199 + levels: + - medium + title: 'Red Hat Hummingbird must verify correct operation of all security functions.' + status: not applicable + + - id: SRG-OS-000462-GPOS-00206 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful attempts to modify privileges occur.' + status: not applicable + + - id: SRG-OS-000466-GPOS-00210 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful attempts to delete privileges occur.' + status: not applicable + + - id: SRG-OS-000467-GPOS-00211 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful attempts to delete security levels occur.' + status: not applicable + + - id: SRG-OS-000468-GPOS-00212 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records when successful/unsuccessful attempts to delete security objects occur.' + status: not applicable + + - id: SRG-OS-000471-GPOS-00215 + levels: + - medium + title: 'Red Hat Hummingbird must generate audit records for privileged activities or other system-level access.' + status: not applicable + + - id: SRG-OS-000480-GPOS-00227 + levels: + - medium + title: 'Red Hat Hummingbird must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.' + status: automated + rules: + - file_owner_etc_gshadow + - file_groupowner_backup_etc_group + - dir_perms_world_writable_root_owned + - file_permissions_etc_group + - file_owner_etc_shadow + - installed_OS_is_vendor_supported + - package_unbound_removed + - file_permissions_etc_passwd + - no_host_based_files + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_passwd + - file_permissions_backup_etc_gshadow + - file_permissions_ungroupowned + - file_groupowner_etc_passwd + - file_groupowner_etc_shadow + - file_permissions_home_directories + - file_owner_backup_etc_gshadow + - file_owner_backup_etc_shadow + - file_permission_user_init_files + - package_tftp-server_removed + - package_vsftpd_removed + - file_owner_etc_passwd + - file_groupownership_home_directories + - file_permissions_etc_gshadow + - file_permissions_backup_etc_shadow + - package_tuned_removed + - file_permissions_etc_shadow + - file_groupowner_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_passwd + - file_permissions_backup_etc_group + - file_owner_etc_group + - no_user_host_based_files + - package_gssproxy_removed + - file_permission_user_init_files_root + - file_groupowner_etc_gshadow + - file_groupowner_backup_etc_passwd + - file_groupowner_backup_etc_shadow + - package_nfs-utils_removed + - var_user_initialization_files_regex=all_dotfiles + + - id: SRG-OS-000480-GPOS-00230 + levels: + - medium + title: 'Red Hat Hummingbird must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.' + status: does not meet + + - id: SRG-OS-000590-GPOS-00110 + levels: + - medium + title: 'Red Hat Hummingbird must disable accounts when the accounts are no longer associated to a user.' + status: not applicable + + - id: SRG-OS-000690-GPOS-00140 + levels: + - medium + title: 'Red Hat Hummingbird must prohibit the use or connection of unauthorized hardware components.' + status: not applicable + + - id: SRG-OS-000705-GPOS-00150 + levels: + - medium + title: 'Red Hat Hummingbird must implement multifactor authentication for local, network, and/or remote access to privileged accounts and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.' + status: not applicable + + - id: SRG-OS-000710-GPOS-00160 + levels: + - medium + title: 'Red Hat Hummingbird must, for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).' + status: does not meet + + - id: SRG-OS-000720-GPOS-00170 + levels: + - medium + title: 'Red Hat Hummingbird must for password-based authentication, require immediate selection of a new password upon account recovery.' + status: does not meet + + - id: SRG-OS-000725-GPOS-00180 + levels: + - medium + title: 'Red Hat Hummingbird must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.' + status: inherently met + + - id: SRG-OS-000730-GPOS-00190 + levels: + - medium + title: 'Red Hat Hummingbird must, for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.' + status: not applicable + + - id: SRG-OS-000745-GPOS-00210 + levels: + - medium + title: 'Red Hat Hummingbird must accept only external credentials that are NIST-compliant.' + status: does not meet + + - id: SRG-OS-000775-GPOS-00230 + levels: + - medium + title: 'Red Hat Hummingbird must include only approved trust anchors in trust stores or certificate stores managed by the organization.' + status: manual + + - id: SRG-OS-000780-GPOS-00240 + levels: + - medium + title: 'Red Hat Hummingbird must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.' + status: not applicable + + - id: SRG-OS-000785-GPOS-00250 + levels: + - medium + title: 'Red Hat Hummingbird must synchronize system clocks within and between systems or system components.' + status: not applicable + + - id: SRG-OS-000366-GPOS-00153 + levels: + - high + title: 'Red Hat Hummingbird must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.' + status: automated + rules: + - ensure_redhat_gpgkey_installed From 62dab8c1ee31ffd07b8512d1ae6fda112b3d26a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 27 Mar 2026 12:48:55 +0100 Subject: [PATCH 3/8] Adapt existing rules and macros for hummingbird Update rule descriptions, OCIL, and Jinja2 macros to handle hummingbird as a container-based product: adjust library dir descriptions, crypto policy text, GPG key instructions, package install/remove macros, and file permission/ownership macros. --- .../obsolete/package_rsync_removed/rule.yml | 2 +- .../dir_group_ownership_library_dirs/rule.yml | 12 ++++++--- .../dir_ownership_library_dirs/rule.yml | 12 ++++++--- .../dir_permissions_library_dirs/rule.yml | 10 +++++--- .../file_ownership_library_dirs/rule.yml | 12 ++++++--- .../file_permissions_library_dirs/rule.yml | 12 ++++++--- .../oval/shared.xml | 1 + .../installed_OS_is_vendor_supported/rule.yml | 2 +- .../crypto/configure_crypto_policy/rule.yml | 4 +++ .../ensure_gpgcheck_never_disabled/rule.yml | 2 ++ .../ensure_redhat_gpgkey_installed/rule.yml | 7 ++++-- .../guide/system/software/updating/group.yml | 5 ++++ shared/macros/01-general.jinja | 25 +++++++++++++++++++ 13 files changed, 83 insertions(+), 23 deletions(-) diff --git a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml index 931b8b6d385c..34e6d77272d8 100644 --- a/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml +++ b/linux_os/guide/services/obsolete/package_rsync_removed/rule.yml @@ -1,4 +1,4 @@ -{{% if 'rhel' in product or product in ['ol8','ol9'] -%}} +{{% if 'rhel' in product or product in ['ol8','ol9', 'hummingbird'] -%}} {{% set pkg='rsync-daemon' %}} {{% else %}} {{% set pkg='rsync' %}} diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml index 3ce312aace9e..e1780a7da884 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml @@ -12,12 +12,16 @@ description: |- /usr/lib /usr/lib64 + {{% if product != "hummingbird" %}} Kernel modules, which can be added to the kernel during runtime, are also - stored in /lib/modules. All files in these directories should be - group-owned by the root user. If the directories, is found to be owned - by a user other than root correct its - ownership with the following command: + stored in /lib/modules. + {{% endif %}} + All files in these directories should be group-owned by the root group. + {{% if product != "hummingbird" %}} + If the directories are found to be owned by a group other than root correct + its ownership with the following command: 
$ sudo chgrp root DIR
+ {{% endif %}} rationale: |- Files from shared library directories are loaded into the address diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml index 611558766535..83037dba7333 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml @@ -11,12 +11,16 @@ description: |- /usr/lib /usr/lib64 + {{% if product != "hummingbird" %}} Kernel modules, which can be added to the kernel during runtime, are also - stored in /lib/modules. All files in these directories should be - owned by the root user. If the directories, is found to be owned - by a user other than root correct its - ownership with the following command: + stored in /lib/modules. + {{% endif %}} + All files in these directories should be owned by the root user. + {{% if product != "hummingbird" %}} + If the directories are found to be owned by a user other than root correct + its ownership with the following command: 
$ sudo chown root DIR
+ {{% endif %}} rationale: |- Files from shared library directories are loaded into the address diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml index 88d4068b3297..2236a9f16be3 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml @@ -12,12 +12,16 @@ description: |- /usr/lib /usr/lib64 + {{% if product != "hummingbird" %}} Kernel modules, which can be added to the kernel during runtime, are - stored in /lib/modules. All sub-directories in these directories - should not be group-writable or world-writable. If any file in these - directories is found to be group-writable or world-writable, correct + stored in /lib/modules. + {{% endif %}} + All sub-directories in these directories should not be group-writable or world-writable. + {{% if product != "hummingbird" %}} + If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w DIR
+ {{% endif %}} rationale: |- If the operating system were to allow any user to make changes to software libraries, diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml index d6c2ed6df1d8..609309761ae5 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml @@ -11,12 +11,16 @@ description: |- /usr/lib /usr/lib64 + {{% if product != "hummingbird" %}} Kernel modules, which can be added to the kernel during runtime, are also - stored in /lib/modules. All files in these directories should be - owned by the root user. If the directory, or any file in these - directories, is found to be owned by a user other than root correct its - ownership with the following command: + stored in /lib/modules. + {{% endif %}} + All files in these directories should be owned by the root user. + {{% if product != "hummingbird" %}} + If the directory, or any file in these directories, is found to be owned + by a user other than root correct its ownership with the following command: 
$ sudo chown root FILE
+ {{% endif %}} rationale: |- Files from shared library directories are loaded into the address diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml index 7f541885a066..3361cf819a9f 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml @@ -11,12 +11,16 @@ description: |- /usr/lib /usr/lib64 + {{% if product != "hummingbird" %}} Kernel modules, which can be added to the kernel during runtime, are - stored in /lib/modules. All files in these directories - should not be group-writable or world-writable. If any file in these - directories is found to be group-writable or world-writable, correct - its permission with the following command: + stored in /lib/modules. + {{% endif %}} + All files in these directories should not be group-writable or world-writable. + {{% if product != "hummingbird" %}} + If any file in these directories is found to be group-writable + or world-writable, correct its permission with the following command: 
$ sudo chmod go-w FILE
+ {{% endif %}} rationale: |- Files from shared library directories are loaded into the address diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml index 5d86a46a2388..ab6480a8cefa 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml @@ -8,6 +8,7 @@ + diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index a7a47148ab0d..35e234c7d031 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -60,7 +60,7 @@ ocil_clause: 'the installed operating system is not supported' ocil: |- To verify that the installed operating system is supported, run the following command: -{{% if product.startswith("rhel") %}} +{{% if product.startswith("rhel") or product == "hummingbird" %}} 
$ grep -i "red hat" /etc/redhat-release
{{% elif 'ol' in families %}} 
$ grep -i "oracle" /etc/oracle-release
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml index 2800415a2f58..0a37f3de46de 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml @@ -4,6 +4,7 @@ documentation_complete: true title: 'Configure System Cryptography Policy' description: |- + {{% if product != "hummingbird" -%}} To configure the system cryptography policy to use ciphers only from the {{{ xccdf_value("var_system_crypto_policy") }}} {{% if product != "rhcos4" -%}} policy, run the following command: @@ -42,6 +43,7 @@ description: |-

{{{ machineconfig_description_footer() | indent(4) }}} {{% endif -%}} + {{% endif -%}} The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. @@ -86,8 +88,10 @@ ocil: |- Outputs of two previous commands should match. warnings: + {{% if product != "hummingbird" -%}} - general: |- The system needs to be rebooted for these changes to take effect. + {{% endif -%}} - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml index 9ab39ecab791..a36bc19edc32 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml @@ -75,3 +75,5 @@ checktext: |- gpgcheck = 1 If "gpgcheck" is not set to "1" for all returned lines, this is a finding. + +platform: package[{{{ pkg_manager }}}] diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml index 1baf1173b992..31b49725a950 100644 --- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml @@ -6,8 +6,10 @@ title: 'Ensure Red Hat GPG Key Installed' description: |- To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), - the Red Hat GPG key must properly be installed. To install the Red Hat GPG - key, run: + the Red Hat GPG key must properly be installed. + + {{% if product != "hummingbird" %}} + To install the Red Hat GPG key, run: 
$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then @@ -20,6 +22,7 @@ description: |- Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: 
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+ {{% endif %}} rationale: |- diff --git a/linux_os/guide/system/software/updating/group.yml b/linux_os/guide/system/software/updating/group.yml index fbc87761edda..5f9e49707916 100644 --- a/linux_os/guide/system/software/updating/group.yml +++ b/linux_os/guide/system/software/updating/group.yml @@ -3,6 +3,10 @@ documentation_complete: true title: 'Updating Software' description: |- +{{% if product == "hummingbird" %}} + {{{ full_name }}} containers and container images contain an installed software + catalog called the RPM database, which records metadata of installed RPM packages. +{{% else %}} The {{{ pkg_manager }}} command line tool is used to install and update software packages. The system also provides a graphical software update tool in the System menu, in the Administration submenu, @@ -13,3 +17,4 @@ description: |- {{{ pkg_manager }}} or the graphical Software Update for all software installation allows for insight into the current inventory of installed software on the system.

+{{% endif %}} diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja index 80dc6eeca5e3..190c833d79e0 100644 --- a/shared/macros/01-general.jinja +++ b/shared/macros/01-general.jinja @@ -774,8 +774,12 @@ substituting the correct package management software. #}} {{%- macro describe_package_install(package) -%}} +{{%- if product == "hummingbird" -%}} + The {{{ package }}} package needs to be present in the container or container image. +{{%- else -%}} The {{{ package }}} package can be installed with the following command: 
{{{ package_install(package) }}}
+{{%- endif %}} {{%- endmacro %}} @@ -810,8 +814,13 @@ substituting the correct package management software. #}} {{%- macro describe_package_remove(package) -%}} +{{%- if product == "hummingbird" -%}} + The {{{ package }}} package should not be present in the container or container image. + Remove the {{{ package }}} package from Containerfile and rebuild the container image. +{{%- else -%}} The {{{ package }}} package can be removed with the following command: 
{{{ package_remove(package) }}}
+{{%- endif %}} {{%- endmacro %}} @@ -825,8 +834,12 @@ substituting the correct package management software. #}} {{%- macro describe_file_permissions(file, perms) %}} +{{%- if product == "hummingbird" -%}} + The {{{ file }}} shall have the {{{ perms }}} permission mode. +{{%- else -%}} To properly set the permissions of {{{ file }}}, run the command: 
$ sudo chmod {{{ perms }}} {{{ file }}}
+{{%- endif %}} {{%- endmacro %}} @@ -840,11 +853,17 @@ substituting the correct package management software. #}} {{%- macro describe_file_owner(file, owner) %}} +{{%- if product == "hummingbird" -%}} + The {{{ file }}} should be owned by the + {{%- for own in owner.split("|") %}} {{{ own }}} {{% if not loop.last %}} or {{% endif %}}{{% endfor -%}} + user. +{{%- else -%}} To properly set the owner of {{{ file }}}, run the command: {{% for own in owner.split("|") %}} 
$ sudo chown {{{ own }}} {{{ file }}}
{{% if not loop.last %}} or {{% endif %}} {{% endfor %}} +{{%- endif -%}} {{%- endmacro %}} {{# @@ -889,11 +908,17 @@ substituting the correct package management software. #}} {{%- macro describe_file_group_owner(file, group) %}} +{{%- if product == "hummingbird" -%}} + The {{{ file }}} should be group-owned by the + {{%- for grp in group.split("|") %}} {{{ grp }}} {{% if not loop.last %}} or {{% endif %}}{{% endfor -%}} + group. +{{%- else -%}} To properly set the group owner of {{{ file }}}, run the command: {{% for grp in group.split("|") %}} 
$ sudo chgrp {{{ grp }}} {{{ file }}}
{{% if not loop.last %}} or {{% endif %}} {{% endfor %}} +{{%- endif %}} {{%- endmacro %}} {{# From 3b9a795ad7995d439127377305164a539d4e6c45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 27 Mar 2026 12:49:09 +0100 Subject: [PATCH 4/8] Add container default user exception in OVAL macro Exclude the distroless default user (UID 65532) from home directory checks for hummingbird, since distroless images have no /home directory and this user's home is set to /tmp. --- shared/macros/10-oval.jinja | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 784d659e94fd..28fc772ef1ea 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1321,7 +1321,12 @@ Generates the :code:`` tag for OVAL check using correct product platfo state_{{{ object_id }}}_users_ignored + {{%- if product == "hummingbird" -%}} + {{# Hummingbird contains special "default" user named 65532 which has the home directory set to /tmp because distroless images ship no /home directory. #}} + {{%- set ignored_users_list="(nobody|nfsnobody|65532)" %}} + {{%- else -%}} {{%- set ignored_users_list="(nobody|nfsnobody)" %}} + {{%- endif -%}} ^{{{ ignored_users_list }}}$ From db9dd2102409718e2f1c2eb1d15f0c06a5546ab9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 30 Mar 2026 09:53:20 +0200 Subject: [PATCH 5/8] Add rule ensure_gpgcheck_never_disabled to the dnf component --- components/dnf.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/components/dnf.yml b/components/dnf.yml index ff1d7d264df3..65a1e2b888d0 100644 --- a/components/dnf.yml +++ b/components/dnf.yml @@ -10,6 +10,7 @@ rules: - enable_gpgcheck_for_all_repositories - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages +- ensure_gpgcheck_never_disabled - ensure_gpgcheck_repo_metadata - package_dnf-automatic_installed - package_dnf-plugin-subscription-manager_installed From 70d0f399c96c7fc982868d7a5bb5f5a816fe0d91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 2 Apr 2026 10:07:15 +0200 Subject: [PATCH 6/8] Change platforms in sysctl_kernel_ipv6_disable If any OVAL file in `shared/checks/oval` doesn't contain platforms of all products, it causes a warning when building the product that isn't listed there. WARNING:root:Missing OVAL component: sysctl_kernel_ipv6_disable. That's probably caused by an inefficiency of our build system which first loads all OVALs from the shared directory and then it drops these that aren't needed by the product. So the OVALs in shared need to be defined in a way they would be applicable to all products. That being said, I have discovered that all other OVALs in the shared directory don't enumerate all possible platforms, but they simply contain a single platform element containing multi_platform_all. I will do the same change here. --- .../oval/sysctl_kernel_ipv6_disable.xml | 20 +------------------ 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml index a190c89497e9..5ed3e7e14415 100644 --- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml @@ -3,25 +3,7 @@ Kernel Runtime Parameter IPv6 Check - multi_platform_alinux - multi_platform_almalinux - multi_platform_anolis - multi_platform_debian - multi_platform_example - multi_platform_fedora - multi_platform_hummingbird - multi_platform_kylinserver - multi_platform_openembedded - multi_platform_openeuler - multi_platform_opensuse - multi_platform_ol - multi_platform_rhcos - multi_platform_rhel - multi_platform_rhv - multi_platform_sle - multi_platform_slmicro - multi_platform_tencentos - multi_platform_ubuntu + multi_platform_all Disables IPv6 for all network interfaces. From e80f5dacf8ded77818900facdaadef6c47bef436 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 2 Apr 2026 10:27:43 +0200 Subject: [PATCH 7/8] Limit the dnf platform in ensure_gpgcheck_never_disabled We will set the package platform only on the hummingbird product to avoid having a weird syntax with jinja substitution in the platform specifier. --- .../software/updating/ensure_gpgcheck_never_disabled/rule.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml index a36bc19edc32..bcb25fb3fb8f 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/rule.yml @@ -76,4 +76,6 @@ checktext: |- If "gpgcheck" is not set to "1" for all returned lines, this is a finding. -platform: package[{{{ pkg_manager }}}] +{{% if product == "hummingbird" %}} +platform: package[dnf] +{{% endif %}} From 01318289a483368035282d12b2cb909ca4a8144a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 2 Apr 2026 13:37:05 +0200 Subject: [PATCH 8/8] Update notes and statuses in control files The control files in the hummingbird project have been reviewed and status and notes keys have been updated. Most importantly some notes copied from the RHEL 10 product have been removed because they aren't relevant in Hummingbird images --- .../hummingbird/controls/cis_hummingbird.yml | 118 +++--------------- 1 file changed, 19 insertions(+), 99 deletions(-) diff --git a/products/hummingbird/controls/cis_hummingbird.yml b/products/hummingbird/controls/cis_hummingbird.yml index da15565af106..08dd651659ce 100644 --- a/products/hummingbird/controls/cis_hummingbird.yml +++ b/products/hummingbird/controls/cis_hummingbird.yml @@ -18,16 +18,6 @@ reference_type: cis product: hummingbird controls: - - - id: reload_dconf_db - title: Reload Dconf database - levels: - - l1_server - - l1_workstation - notes: |- - This is a helper rule to reload Dconf database correctly. - status: not applicable - - id: 1.1.1.1 title: Ensure cramfs kernel module is not available (Automated) levels: @@ -103,7 +93,7 @@ controls: levels: - l1_server - l1_workstation - status: manual + status: not applicable - id: 1.1.2.1.1 title: Ensure /tmp is tmpfs or a separate partition (Automated) @@ -313,14 +303,14 @@ controls: levels: - l2_server - l2_workstation - status: manual + status: not applicable - id: 1.2.1.4 title: Ensure package manager repositories are configured (Manual) levels: - l1_server - l1_workstation - status: manual + status: not applicable - id: 1.2.1.5 title: Ensure weak dependencies are configured (Automated) @@ -397,9 +387,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - There is no automated remediation for this rule and this is intentional. - More details in the rule description. - id: 1.4.2 title: Ensure access to bootloader config is configured (Automated) @@ -407,7 +394,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: This requirement demands a deeper review of the rules. - id: 1.5.1 title: Ensure core file size is configured (Automated) @@ -685,9 +671,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - Many of the libvirt packages used by Enterprise Linux virtualization are dependent on the - nfs-utils package. - id: 2.1.10 title: Ensure print server services are not in use (Automated) @@ -701,9 +684,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - Many of the libvirt packages used by Enterprise Linux virtualization, and the nfs-utils - package used for The Network File System (NFS), are dependent on the rpcbind package. - id: 2.1.12 title: Ensure rsync services are not in use (Automated) @@ -1194,10 +1174,7 @@ controls: levels: - l1_server - l1_workstation - status: pending - notes: |- - There is not an easy way to do this for only active zones using OVAL. - For now, there are are no rules for this control. + status: not applicable - id: 4.1.5 title: Ensure firewalld loopback traffic is configured (Automated) @@ -1205,22 +1182,20 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - Firewalld in Red Hat Enterprise Linux 10 accepts loopback traffic by default. - id: 4.1.6 title: Ensure firewalld loopback source address traffic is configured (Manual) levels: - l1_server - l1_workstation - status: manual + status: not applicable - id: 4.1.7 title: Ensure firewalld services and ports are configured (Manual) levels: - l1_server - l1_workstation - status: manual + status: not applicable - id: 5.1.1 title: Ensure access to /etc/ssh/sshd_config is configured (Automated) @@ -1270,9 +1245,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - The requirement gives an example of 45 seconds, but is flexible about the values. It is only - necessary to ensure there is a timeout configured in alignment to the site policy. - id: 5.1.8 title: Ensure sshd DisableForwarding is enabled (Automated) @@ -1308,10 +1280,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - This CIS requirement shall be notapplicable on RHEL 10. The CIS - Benchmark requires disabling the weak SHA1 key exchange algorithms, - but RHEL 10 doesn't provide these algorithms. - id: 5.1.13 title: Ensure sshd LoginGraceTime is configured (Automated) @@ -1326,10 +1294,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - The CIS benchmark is not opinionated about which loglevel is selected here. Here, this - profile uses VERBOSE by default, as it allows for the capture of login and logout activity - as well as key fingerprints. - id: 5.1.15 title: Ensure sshd MACs are configured (Automated) @@ -1435,11 +1399,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - Members of "wheel" or GID 0 groups are checked by default if the group option is not set for - pam_wheel.so module. The recommendation states the group should be empty to reinforce the - use of "sudo" for privileged access. Therefore, members of these groups should be manually - checked or a different group should be informed. - id: 5.3.1.1 title: Ensure active authselect profile includes pam modules (Automated) @@ -1447,12 +1406,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - This rule verifies that the active authselect profile includes the required PAM modules: - pam_pwquality.so, pam_pwhistory.so, pam_faillock.so, and pam_unix.so in both system-auth - and password-auth files. The rule checks the authselect profile source files directly, - not the symlinked files in /etc/pam.d/. Other rules ensure these modules are properly - configured with correct options. - id: 5.3.1.2 title: Ensure pam_faillock module is enabled (Automated) @@ -1460,7 +1413,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: This requirement is also indirectly satisfied by the requirement 5.3.2.1. - id: 5.3.1.3 title: Ensure pam_pwquality module is enabled (Automated) @@ -1468,7 +1420,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: This requirement is also indirectly satisfied by the requirement 5.3.2.2. - id: 5.3.1.4 title: Ensure pam_pwhistory module is enabled (Automated) @@ -1476,9 +1427,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - The module is properly enabled by the rules mentioned in related_rules. - Requirements in 5.3.2.3 use these rules. - id: 5.3.1.5 title: Ensure pam_unix module is enabled (Automated) @@ -1500,10 +1448,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - The policy also accepts value 0, which means the locked accounts should be manually unlocked - by an administrator. However, it also mentions that using value 0 can facilitate a DoS - attack to legitimate users. - id: 5.3.2.1.3 title: Ensure password failed attempts lockout includes root account (Automated) @@ -1532,12 +1476,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - This requirement is expected to be manual. However, in previous versions of the policy - it was already automated the configuration of "minclass" option. This posture was kept for - RHEL 10 in this new version. Rules related to other options are informed in related_rules. - In short, minclass=4 alone can achieve the same result achieved by the combination of the - other 4 options mentioned in the policy. - id: 5.3.2.2.4 title: Ensure password same consecutive characters is configured (Automated) @@ -1573,10 +1511,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - Although mentioned in the section 5.3.3.3, there is no explicit requirement to configure - retry option of pam_pwhistory. If come in the future, the rule accounts_password_pam_retry - can be used. - id: 5.3.2.3.2 title: Ensure password history is enforced for the root user (Automated) @@ -1591,10 +1525,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - In RHEL 10 pam_pwhistory is enabled via authselect feature, as required in 5.3.1.4. The - feature automatically set "use_authok" option. In any case, we don't have a rule to check - this option specifically. - id: 5.3.2.4.1 title: Ensure pam_unix does not include nullok (Automated) @@ -1602,7 +1532,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: The rule more specifically used in this requirement also satify the requirement 5.3.1.5. - id: 5.3.2.4.2 title: Ensure pam_unix does not include remember (Automated) @@ -1610,11 +1539,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - Usage of pam_unix.so module together with "remember" option is deprecated and is not - recommended by this policy. Instead, it should be used remember option of pam_pwhistory - module, as required in 5.3.2.3.1. See here for more details about pam_unix.so: - https://bugzilla.redhat.com/show_bug.cgi?id=1778929 - id: 5.3.2.4.3 title: Ensure pam_unix includes a strong password hashing algorithm (Automated) @@ -1622,7 +1546,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: Changes in logindefs mentioned in this requirement are more specifically covered by 5.4.1.4 - id: 5.3.2.4.4 title: Ensure pam_unix includes use_authtok (Automated) @@ -1630,10 +1553,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: |- - In RHEL 10 pam_unix is enabled by default in all authselect profiles already with the - use_authtok option set. In any case, we don't have a rule to check this option specifically, - like in 5.3.2.3.3. - id: 5.4.1.1 title: Ensure password expiration is configured (Automated) @@ -1689,9 +1608,11 @@ controls: levels: - l1_server - l1_workstation - status: partial + status: automated notes: |- There is assessment but no automated remediation for this rule and this sounds reasonable. + rules: + - accounts_root_gid_zero - id: 5.4.2.3 title: Ensure group root is the only GID 0 group (Automated) @@ -1796,14 +1717,14 @@ controls: levels: - l1_server - l1_workstation - status: manual + status: not applicable - id: 6.2.1.3 title: Ensure journald log file rotation is configured (Manual) levels: - l1_server - l1_workstation - status: manual + status: not applicable - id: 6.2.1.4 title: Ensure only one logging system is in use (Automated) @@ -1866,56 +1787,56 @@ controls: levels: - l1_server - l1_workstation - status: supported + status: not applicable - id: 6.2.3.2 title: Ensure rsyslog service is enabled and active (Automated) levels: - l1_server - l1_workstation - status: supported + status: not applicable - id: 6.2.3.3 title: Ensure journald is configured to send logs to rsyslog (Automated) levels: - l1_server - l1_workstation - status: supported + status: not applicable - id: 6.2.3.4 title: Ensure rsyslog log file creation mode is configured (Automated) levels: - l1_server - l1_workstation - status: supported + status: not applicable - id: 6.2.3.5 title: Ensure rsyslog logging is configured (Manual) levels: - l1_server - l1_workstation - status: manual + status: not applicable - id: 6.2.3.6 title: Ensure rsyslog is configured to send logs to a remote log host (Manual) levels: - l1_server - l1_workstation - status: manual + status: not applicable - id: 6.2.3.7 title: Ensure rsyslog is not configured to receive logs from a remote client (Automated) levels: - l1_server - l1_workstation - status: supported + status: not applicable - id: 6.2.3.8 title: Ensure rsyslog logrotate is configured (Manual) levels: - l1_server - l1_workstation - status: manual + status: not applicable - id: 6.2.4.1 title: Ensure access to all logfiles has been configured (Automated) @@ -1923,7 +1844,6 @@ controls: - l1_server - l1_workstation status: not applicable - notes: It is not harmful to run these rules even if rsyslog is not installed or active. - id: 6.3.1.1 title: Ensure auditd packages are installed (Automated)