Coverage - DISA, Linux
openscap scan results
The following scans were performed on a default installation of the noted Operating System with the SIMP Enterprise profile enforced.
| OS |
EE Profile |
Scan Type |
Benchmark Version |
Pass |
Fail |
Total % |
| Oracle Linux 7 |
disa:mac-1:classified |
1 - Mission Critical Classified |
V2R2 |
158 |
19 |
89% |
| Red Hat Enterprise Linux 7 |
disa:mac-1:classified |
1 - Mission Critical Classified |
V3R2 |
158 |
20 |
89% |
| Red Hat Enterprise Linux 8 |
disa:mac-1:classified |
1 - Mission Critical Classified |
V1R0 |
61 |
10 |
86% |
Control Coverage
The following report details the status of each CIS recommendation in the SIMP EE compliance data.
Paper policy controls refer to organizational policy requirements and cannot be reasonably enforced by SIMP at this time.Mapped controls have enforcement and reporting support.Unmapped controls are not supported at this time. A reason for the lack of support is provided for each unmapped control.
Summary
Detail
Paper Policy
The following controls require administrative documentation:
OracleLinux 7 (6/177 [3%])
- V-221653
- The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-221692
- The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.
- Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- V-221719
- The Oracle Linux operating system must be a vendor supported release.
- If this check fails then the scan was not run on a supported Oracle Linux 7 operating system.
- V-221748
- The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-221754
- The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
- There is no way to safely change this on a running system.
- V-221755
- The Oracle Linux operating system must use a separate file system for /var.
- There is no way to safely change this on a running system.
RedHat 7 (5/178 [2%])
- V-204458
- The Red Hat Enterprise Linux operating system must be a vendor supported release.
- If this check fails then the scan was not run on a supported Red Hat Enterprise Linux 7 operating system.
- V-204487
- The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-204493
- The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
- There is no way to safely change this on a running system.
- V-204494
- The Red Hat Enterprise Linux operating system must use a separate file system for /var.
- There is no way to safely change this on a running system.
- V-214799
- The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
- We do not currently have a mechanism for scanning the filesystem for enforcement.
RedHat 8 (7/71 [9%])
- V-230221
- RHEL 8 must be a vendor-supported release.
- If this check fails then the scan was not run on a supported Oracle Linux 8 operating system.
- V-230232
- RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
- Locking a user due to inappropriate encryption is not currently available in simp. A mechanism to address this rule will be implemented in a future release.
- V-230238
- RHEL 8 must prevent system daemons from using Kerberos for authentication.
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-230271
- RHEL 8 must require users to provide a password for privilege escalation.
- Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- V-230272
- RHEL 8 must require users to reauthenticate for privilege escalation.
- There is currently no mechanism in simp to remove all occurrences of ‘!authenticate’ from sudoers. A mechanism to report, but not change, the existence of this statement in sudoers will be implemented in a future release.
- V-230284
- There must be no .shosts files on the RHEL 8 operating system.
- We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-230528
- RHEL 8 must force a frequent session key renegotiation for SSH connections by the client.
- There is currently no way to set ssh client settings via hieradata. A mechanism to address this rule will be implemented in a future release.
Mapped
The following controls are mapped:
OracleLinux 7 (171/177 [96%])
- V-221654
- V-221657
- V-221658
- V-221660
- V-221661
- V-221664
- V-221665
- V-221666
- V-221667
- V-221668
- V-221669
- V-221670
- V-221671
- V-221672
- V-221673
- V-221674
- V-221675
- V-221676
- V-221677
- V-221678
- V-221680
- V-221681
- V-221682
- V-221683
- V-221684
- V-221685
- V-221686
- V-221687
- We can only report on this because removing nullok might could cause issues on a production system
- V-221688
- V-221689
- V-221693
- V-221694
- V-221695
- V-221696
- V-221697
- V-221698
- V-221699
- V-221700
- V-221701
- V-221702
- V-221704
- V-221705
- V-221708
- This will be set in the root user crontab rather than /etc/cron.daily/aide
- V-221710
- V-221711
- V-221712
- V-221713
- V-221714
- V-221715
- V-221718
- V-221722
- V-221723
- V-221727
- V-221728
- V-221743
- V-221744
- V-221751
- V-221752
- V-221757
- V-221758
- V-221763
- V-221764
- V-221765
- V-221767
- Audit logs will be offloaded via syslog by default rather than utilizing audisp
- V-221768
- V-221769
- V-221770
- Audit logs will be offloaded via syslog by default rather than utilizing audisp
- V-221771
- TLS will be turned on in syslog, which will ensure log transmissions are encrypted
- V-221772
- V-221773
- The system will be set up to go directly to syslog by default rather than falling back to it if auditd is enabled
- V-221775
- V-221776
- V-221777
- V-221778
- V-221779
- V-221780
- V-221781
- V-221782
- V-221783
- V-221784
- V-221785
- V-221786
- V-221787
- V-221788
- V-221789
- V-221790
- V-221791
- V-221792
- V-221793
- V-221794
- V-221795
- V-221796
- V-221797
- V-221798
- V-221799
- V-221800
- V-221801
- V-221802
- V-221803
- V-221804
- V-221805
- V-221806
- V-221807
- V-221808
- V-221809
- V-221810
- V-221811
- V-221812
- V-221813
- V-221814
- V-221815
- V-221816
- V-221817
- V-221818
- V-221819
- V-221820
- V-221821
- V-221822
- V-221823
- V-221824
- V-221825
- V-221826
- V-221827
- V-221828
- V-221829
- V-221830
- V-221831
- V-221832
- V-221833
- V-221834
- V-221838
- V-221840
- The value in /etc/ssh/sshd_config matches exactly what is expected in the fixtext, however the test may still show this a failing.
- V-221846
- V-221847
- V-221849
- V-221850
- V-221851
- V-221852
- V-221853
- The fixtext requested will be in /etc/pam.d/auth rather than /etc/pam.d/postlogin, the last login time will still be displayed as desired upon login
- V-221854
- V-221855
- V-221856
- V-221857
- V-221858
- V-221859
- V-221860
- V-221861
- V-221862
- V-221863
- V-221864
- V-221869
- V-221870
- V-221871
- V-221872
- The only way to safely handle enforcing the number of nameservers is to simply report on it, if users wish to remediate this manually and add a second nameserver, they can control their nameservers via the simp_options::dns::servers array value in hiera.
- V-221873
- V-221876
- V-221877
- V-221878
- V-221879
- V-221880
- V-221881
- V-221884
- V-221885
- V-221886
- V-221888
- V-221889
- V-221891
- V-221894
- V-221895
- V-221896
- V-221897
RedHat 7 (173/178 [97%])
- V-204393
- V-204396
- V-204397
- V-204398
- V-204399
- V-204402
- V-204403
- V-204404
- V-204405
- V-204406
- V-204407
- V-204408
- V-204409
- V-204410
- V-204411
- V-204412
- V-204413
- V-204414
- V-204415
- V-204416
- V-204417
- V-204418
- V-204419
- V-204420
- V-204421
- V-204422
- V-204423
- V-204424
- We can only report on this because removing nullok might could cause issues on a production system
- V-204425
- V-204426
- V-204429
- V-204430
- V-204431
- V-204432
- V-204433
- V-204434
- V-204435
- V-204436
- V-204437
- V-204438
- V-204439
- V-204440
- V-204442
- V-204443
- V-204445
- This will be set in the root user crontab rather than /etc/cron.daily/aide
- V-204447
- V-204448
- V-204449
- V-204450
- V-204451
- V-204452
- V-204457
- V-204461
- V-204462
- V-204466
- V-204467
- V-204482
- V-204483
- V-204490
- V-204491
- V-204495
- V-204496
- V-204497
- V-204502
- V-204503
- V-204504
- V-204506
- Audit logs will be offloaded via syslog by default rather than utilizing audisp
- V-204507
- V-204508
- V-204509
- Audit logs will be offloaded via syslog by default rather than utilizing audisp
- V-204510
- TLS will be turned on in syslog, which will ensure log transmissions are encrypted
- V-204511
- V-204512
- The system will be set up to go directly to syslog by default rather than falling back to it if auditd is enabled
- V-204514
- V-204515
- V-204516
- V-204517
- V-204518
- V-204519
- V-204520
- V-204521
- V-204522
- V-204523
- V-204524
- V-204525
- V-204526
- V-204527
- V-204528
- V-204529
- V-204530
- V-204531
- V-204532
- V-204533
- V-204534
- V-204535
- V-204536
- V-204537
- V-204538
- V-204539
- V-204540
- V-204541
- V-204542
- V-204543
- V-204544
- V-204545
- V-204546
- V-204547
- V-204548
- V-204549
- V-204550
- V-204551
- V-204552
- V-204553
- V-204554
- V-204555
- V-204556
- V-204557
- V-204558
- V-204559
- V-204560
- V-204561
- V-204562
- V-204563
- V-204564
- V-204565
- V-204566
- V-204567
- V-204568
- V-204569
- V-204570
- V-204571
- V-204572
- V-204573
- V-204576
- V-204578
- The value in /etc/ssh/sshd_config matches exactly what is expected in the fixtext, however the test may still show this a failing.
- V-204584
- V-204585
- V-204587
- V-204588
- V-204589
- V-204590
- V-204591
- V-204592
- V-204593
- V-204594
- V-204595
- V-204596
- V-204597
- V-204598
- V-204599
- V-204600
- V-204601
- V-204602
- V-204605
- The fixtext requested will be in /etc/pam.d/auth rather than /etc/pam.d/postlogin, the last login time will still be displayed as desired upon login
- V-204606
- V-204607
- V-204609
- V-204612
- V-204613
- V-204614
- V-204615
- V-204616
- V-204617
- V-204620
- V-204621
- V-204622
- V-204624
- V-204625
- V-204627
- V-204630
- V-204631
- V-204632
- V-204633
RedHat 8 (64/71 [90%])
- V-230223
- V-230231
- V-230233
- V-230234
- V-230235
- V-230239
- V-230241
- V-230244
- V-230264
- Disabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
- V-230265
- V-230266
- V-230267
- V-230268
- V-230269
- V-230270
- V-230273
- V-230283
- V-230286
- V-230287
- V-230288
- V-230289
- V-230290
- V-230291
- V-230296
- V-230297
- V-230306
- V-230311
- V-230324
- V-230330
- V-230346
- V-230365
- V-230366
- V-230380
- V-230382
- V-230383
- V-230386
- V-230404
- V-230405
- V-230406
- V-230407
- V-230408
- V-230411
- V-230412
- V-230478
- V-230487
- V-230488
- V-230489
- V-230492
- V-230501
- V-230527
- V-230531
- V-230533
- V-230534
- V-230541
- V-230542
- V-230545
- V-230546
- This rule has been implemented and the value on the system matches the fixtext exactly, however, the test may still show this as a failure.
- V-230548
- V-230549
- V-230556
- V-230558
- V-230559
- V-230560
- V-230561
- The level of effort to address the removal of the tuned package was higher than initially anticipated. A mechanism to address this rule will be implemented in a future release.
