File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (104 lines) | stat: -rw-r--r-- 4,974 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
 
documentation_complete: true


title: 'Require Authentication for Single User Mode'

description: |-
    Single-user mode is intended as a system recovery
    method, providing a single user root access to the system by
    providing a boot option at startup.
    <br /><br />
    By default, single-user mode is protected by requiring a password and is set
    in <tt>/usr/lib/systemd/system/rescue.service</tt>.

rationale: |-
    This prevents attackers with physical access from trivially bypassing security
    on the machine and gaining root access. Such accesses are further prevented
    by configuring the bootloader password.

severity: medium

identifiers:
    cce@rhcos4: CCE-82550-5
    cce@rhel8: CCE-80855-0
    cce@rhel9: CCE-83594-2
    cce@rhel10: CCE-90014-2
    cce@sle12: CCE-92324-3
    cce@sle15: CCE-91428-3
    cce@slmicro5: CCE-94048-6

references:
    cis-csc: 1,11,12,14,15,16,18,3,5
    cis@sle12: 1.5.3
    cis@sle15: 1.5.3
    cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10
    cui: 3.1.1,3.4.5
    hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7'
    ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
    iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
    nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
    nist: IA-2,AC-3,CM-6(a)
    nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.PT-3
    ospp: FIA_UAU.1
    srg: SRG-OS-000080-GPOS-00048
    stigid@ol7: OL07-00-010481
    stigid@ol8: OL08-00-010151

ocil_clause: 'the output is different'


ocil: |-
    To check if authentication is required for single-user mode, run the following command:
    <pre>$ grep sulogin /usr/lib/systemd/system/rescue.service</pre>
    The output should be similar to the following, and the line must begin with
    {{% if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
        ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
        <pre>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</pre>
    {{%- else -%}}
        ExecStart and /sbin/sulogin.
        <pre>ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
    {{%- endif %}}

    In case the output does not match, check if the <tt>ExecStart</tt> directive is not overridden:
    <pre>grep ExecStart /etc/systemd/system/rescue.service.d/*.conf</pre>
    The output should contain two lines:
    <pre>ExecStart=
    {{% if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</pre>
    {{%- else -%}}
    ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
    {{%- endif %}}


    {{% if product not in ["ol8", "rhel8"] %}}
    Then, verify that the rescue service is in the runlevel1.target.
    Run the following command:
    <pre>$ sudo grep "^Requires=.*rescue\.service" /usr/lib/systemd/system/runlevel1.target</pre>
    The output should be the following:
    <pre>Requires=sysinit.target rescue.service</pre>

    Then, check if there is no custom runlevel1 target configured in systemd configuration.
    Run the following command:
    <pre>$ sudo grep -r "^runlevel1.target$" /etc/systemd/system</pre>
    There should be no output.

    Then, check if there is no custom rescue service configured in systemd configuration.
    Run the following command:
    <pre>$ sudo grep -r "^rescue.service$" /etc/systemd/system</pre>
    There should be no output.
    {{% endif %}}

fixtext: |-
    Configure {{{ full_name }}} to require authentication in single user mode.

    Ensure that there are following two lines  in <tt>/etc/systemd/system/rescue.service.d/10-remediation.conf</tt>:
    <pre>ExecStart=
    {{% if product in ["fedora", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</pre>
    {{%- else -%}}
    ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
    {{%- endif %}}

srg_requirement: '{{{ full_name }}} must require authentication upon booting into rescue mode.'