RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 8. 24 July 2015



Similar documents
UNCLASSIFIED. Trademark Information

STIGs,, SCAP and Data Metrics

RMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED

Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities

Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Department of Defense INSTRUCTION

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release January 2015

DoD ANNEX TO THE COLLABORATIVE PROTECTION PROFILE (cpp) FOR STATEFUL TRAFFIC FILTER FIREWALLS V1.0. Version 1, Release 2.

DoD ANNEX FOR MOBILE DEVICE MANAGEMENT (MDM) PROTECTION PROFILE Version 1, Release February 2014

APPLICATION SECURITY AND DEVELOPMENT SECURITY TECHNICAL IMPLEMENTATION GUIDE Version 3, Release July Developed by DISA for the DoD

DoDI IA Control Checklist - MAC 3-Public. Version 1, Release March 2008

DoDI IA Control Checklist - MAC 2-Sensitive. Version 1, Release March 2008

Patch Assessment Content Update Release Notes for CCS Version: Update

LAB FORWARD. WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS

HP Server Automation Enterprise Edition

Department of Defense INSTRUCTION

SUSE Linux Enterprise 12 Security Certifications

Best Practices Guide for DoD Cloud Mission Owners

Mark S. Orndorff Director, Mission Assurance and NetOps

An Oracle Technical Article November Certification with Oracle Linux 6

Implications of Security and Accreditation for 4DWX (Information Assurance) By Scott Halvorson Forecasters Training 26 February 2009

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, DC

The Operating System Lock Down Solution for Linux

California Department of Technology, Office of Technology Services AIX/LINUX PLATFORM GUIDELINE Issued: 6/27/2013 Tech.Ref No

An Oracle Technical Article March Certification with Oracle Linux 7

How To Monitor Your Entire It Environment

Office of Inspector General

Federal Desktop Core Configuration (FDCC)

AUDIT REPORT. The Energy Information Administration s Information Technology Program

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

NOTICE: This publication is available at:

March

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

WEB SERVER SECURITY TECHNICAL IMPLEMENTATION GUIDE Version 6, Release December Developed by DISA for the DoD

AHS Vulnerability Scanning Standard

CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

Enterprise Audit Management Instruction for National Security Systems (NSS)

SUSE Linux uutuudet - kuulumiset SUSECon:sta

Security Control Standard

Compatibility Matrix BES12. September 16, 2015

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Army Golden Master (AGM) Microsoft Products

An Oracle Technical Article October Certification with Oracle Linux 5

NOTICE: This publication is available at:

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Unbreakable Linux Network An Overview

VIDEO TELE-CONFERENCE CHECKLIST Version 1, Release April Developed by DISA for the DoD

A Comprehensive Cyber Compliance Model for Tactical Systems

TIBCO ActiveMatrix BusinessWorks Plug-in for TIBCO Managed File Transfer Software Installation

Information Security Program Management Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Automate Risk Management Framework

FedRAMP Standard Contract Language

2014 Audit of the Board s Information Security Program

Requirements for Upgrading from MetaLib 3.13 to MetaLib 4. Version 4

Compatibility Matrix. VPN Authentication by BlackBerry. Version 1.7.1

Nessus Agents. October 2015

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Linux. Managing security compliance

BlackBerry Enterprise Server Express for Microsoft Exchange

ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B

FISMA Cloud GovDataHosting Service Portfolio

BlackBerry Enterprise Server for Microsoft Exchange. Compatibility Matrix March 25, 2013

AHS Flaw Remediation Standard

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

2015 Security Training Schedule

CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool

How To Improve Nasa'S Security

POLICY ON THE USE OF COMMERCIAL SOLUTIONS TO PROTECT NATIONAL SECURITY SYSTEMS

Medical Device Security Health Group Digital Output

Business Objects. Release Notes. Version: Publication: 07/2014. Automic Software GmbH

BlackBerry Enterprise Server Resource Kit BlackBerry Analysis, Monitoring, and Troubleshooting Tools Version: 5.0 Service Pack: 2.

Cybersecurity in a Mobile IP World

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

Using SUSE Linux Enterprise to "Focus In" on Retail Optical Sales

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Requirements For Computer Security

Proactively Managing Servers with Dell KACE and Open Manage Essentials

Intel Solid-State Drive Data Center Tool User Guide Version 1.1

1 July 2015 Version 1.0

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Patch Management Marvin Christensen /CIAC

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

SUSE Linux Enterprise 12 Security Certifications Common Criteria, EAL, FIPS, PCI DSS,... What's All This About?

System Requirements and Platform Support Guide

Operating System Security Hardening for SAP HANA

Policy on Information Assurance Risk Management for National Security Systems

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Transcription:

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 8 24 July 2015 Developed by Red Hat, NSA, and for the DoD

Trademark Information Names, products, and services referenced within this document may be the trade names, trademarks, or service marks of their respective owners. References to commercial vendors and their products or services are provided strictly as a convenience to our users, and do not constitute or imply endorsement by of any non-federal entity, event, product, service, or enterprise. ii

TABLE OF CONTENTS Page 1. INTRODUCTION...1 1.1 Executive Summary...1 1.2 Authority...1 1.3 Vulnerability Severity Category Code Definitions...1 1.4 STIG Distribution...2 1.5 SRG Compliance Reporting...2 1.6 Document Revisions...2 1.7 Other Considerations...2 2. ASSESSMENT CONSIDERATIONS...4 2.1 Command Examples...4 2.2 Alternate Software...4 2.3 Requirements for Disabled Functions...4 3. SOFTWARE PATCHING GUIDELINES...5 4. OPEN SOURCE SOFTWARE (OSS) POLICY...6 iii

LIST OF TABLES Page Table 1-1: Vulnerability Severity Category Code Definitions... 2 iv

1. INTRODUCTION 1.1 Executive Summary The Red Hat Enterprise Linux 6 (RHEL6) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements were developed from Federal and DoD consensus, based upon the Operating System Security Requirements Guide (OS SRG). SRGs are collections of requirements applicable to a given technology area. SRGs represent an intermediate step between Control Correlation Identifiers (CCIs) and STIGs. CCIs represent discrete, measurable, and actionable items sourced from Information Assurance (IA) controls defined in policy, such as those originating in Department of Defense (DoD) Instruction (DoDI) 8500.2 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. STIGs provide product-specific information for validating and attaining compliance with requirements defined in the SRG for the product s technology area. The OS SRG contains general requirements for operating systems; this SRG may be used as a guide for enhancing the security configuration of any operating system. The vulnerabilities discussed in this document are applicable to RHEL6 Desktop and Server editions. This document is meant for use in conjunction with the Enclave, Network Infrastructure, Secure Remote Computing, and appropriate application STIGs. 1.2 Authority DoD Instruction (DoDI) 8500.01 requires that "all IT that receives, processes, stores, displays, or transmits DoD information will be [ ] configured [ ] consistent with applicable DoD cybersecurity policies, standards, and architectures" and tasks that Defense Information Systems Agency () "develops and maintains control correlation identifiers (CCIs), security requirements guides (SRGs), security technical implementation guides (STIGs), and mobile code risk categories and usage guides that implement and are consistent with DoD cybersecurity policies, standards, architectures, security controls, and validation procedures, with the support of the NSA/CSS, using input from stakeholders, and using automation whenever possible." This document is provided under the authority of DoDI 8500.01. Although the use of the principles and guidelines in these SRGs/STIGs provide an environment that contributes to the security requirements of DoD systems, applicable NIST SP 800-53 cybersecurity controls need to be applied to all systems and architectures based on the Committee on National Security Systems (CNSS) Instruction (CNSSI) 1253. 1.3 Vulnerability Severity Category Code Definitions Severity Category Codes (referred to as CAT) are a measure of vulnerabilities used to assess a facility or system security posture. Each security policy specified in this document is assigned a Severity Category Code of CAT I, II, or III. 1

Table 1-1: Vulnerability Severity Category Code Definitions CAT I CAT II CAT III Category Code Guidelines Any vulnerability, the exploitation of which will, directly and immediately result in loss of Confidentiality, Availability, or Integrity. Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity. Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity. 1.4 STIG Distribution Parties within the DoD and Federal Government's computing environments can obtain the applicable STIG from the Information Assurance Support Environment (IASE) website. This site contains the latest copies of any STIGs, SRGs, and other related security information. The address for the IASE site is http://iase.disa.mil/. 1.5 SRG Compliance Reporting All technical NIST SP 800-53 requirements were considered while developing this STIG. Requirements that are applicable and configurable will be included in the final STIG. A report marked For Official Use Only (FOUO) will be available for those items that did not meet requirements. This report will be available to component Authorizing Official (AO) personnel for risk assessment purposes by request via email to: disa.stig_spt@mail.mil. 1.6 Document Revisions Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the maintenance release schedule. 1.7 Other Considerations accepts no liability for the consequences of applying specific configuration settings made on the basis of the SRGs/STIGs. It must be noted that the configurations settings specified should be evaluated in a local, representative test environment before implementation in a production environment, especially within large user populations. The extensive variety of environments makes it impossible to test these configuration settings for all potential software configurations. For some production environments, failure to test before implementation may lead to a loss of required functionality. Evaluating the risks and benefits to a system s particular circumstances and requirements is the system owner's responsibility. The evaluated risks resulting from not 2

applying specified configuration settings must be approved by the responsible Authorizing Official. Furthermore, implies no warranty that the application of all specified configurations will make a system 100% secure. 3

2. ASSESSMENT CONSIDERATIONS 2.1 Command Examples Some check and fix procedures contain example commands that can be used to obtain information regarding compliance with a requirement or to change a setting to attain compliance with a requirement. These example commands assume use of a standard UNIX shell operating as the root user. If the software used by these commands is not present on the system, the system administrator (SA) or the reviewer is responsible for determining compliance with the requirement using the tools available on the system. Check procedures also contain instructions for evaluating compliance based on the output of these commands. 2.2 Alternate Software RHEL6 systems offer extreme flexibility in replacing components provided by Red Hat with other software to meet operational needs. Many of the check and fix procedures in the RHEL6 STIG assume the use of the software provided by Red Hat. If alternate software is used to provide a function ordinarily provided by a default system application, the specific check and fix information for that function is no longer valid. The SA or the reviewer is responsible for evaluating the requirements based on documentation available for the alternate software. The system accreditation package must contain information pertaining to the use of alternate software. 2.3 Requirements for Disabled Functions The RHEL6 STIG defines requirements for the further hardening and configuration of system functions that are required to be disabled. These requirements exist to address vulnerabilities in the system resulting from accidental activation, malicious intentional activation, or intentional activation of the system function based on acceptance of risk by the Authorizing Official (AO). Requirements for a system function remain applicable even when the system function is disabled. Requirements pertaining to software that is not installed on the system, and which has no remaining configuration files on the system, may be evaluated as NA. 4

3. SOFTWARE PATCHING GUIDELINES Maintaining the security of an RHEL6 system requires frequent reviews of security bulletins. Many security bulletins and IAVM notifications mandate the installation of software patches to overcome noted security vulnerabilities. The SA will be responsible for installing all such patches. The Information System Security Officer (ISSO) will ensure the vulnerabilities have been remedied. guidelines for remediation, including IAVMs, are as follows: Apply the applicable patch, upgrade to required software release, or remove the binary/application to remediate the finding. Or, the mode of the vulnerable binary may be changed to 0000 to downgrade the finding (for example, a CAT I finding may be downgraded to a CAT II). SAs and ISSOs will regularly check Red Hat s vendor and third-party application vendor websites for information on new vendor-recommended updates and security patches that are applicable to their site. All applicable vendor-recommended updates and security patches will be applied to the system. A patch is deemed applicable if the product is installed, even if it is not used or is disabled. 5

4. OPEN SOURCE SOFTWARE (OSS) POLICY On October 16 th 2009, DoD CIO provided clarifying guidance regarding Open Source Software (OSS), reminding the DoD to take advantage of the capabilities available in the Open Source community as long as certain prerequisites are met. The 2009 memo can be found online at: http://dodcio.defense.gov/portals/0/documents/foss/2009oss.pdf It reads: Software for which the human-readable source code is available for use, study, reuse, modification, enhancement, and redistribution by the users of that software. In other words, OSS is software for which the source is open. Note: Red Hat Enterprise Linux 6, while meeting the DoD CIO definition of Open Source Software, is still considered Commercial-Off-The-Shelf (COTS) and requires purchase from the vendor. Additionally, per Section 2(d) of the 16 Oct 2009 DoD CIO memo: the use of any software without appropriate maintenance and support presents an information assurance risk. Before approving the use of software (including OSS), system/program managers, and ultimately Authorizing Officials (AOs), must ensure that the plan for software support (e.g. commercial or Government program office support) is adequate for mission need. The DoD CIO Open Source Frequently Asked Questions page can be found online, which provides educational resources for government employees and contractors to understand the policies and legal issues: http://dodcio.defense.gov/opensourcesoftwarefaq.aspx 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information