StigData/Processed/RHEL-7-3.6.org.default.xml
<!-- The organizational settings file is used to define the local organizations preferred setting within an allowed range of the STIG. Each setting in this file is linked by STIG ID and the valid range is in an associated comment. --> <OrganizationalSettings fullversion="3.6"> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "difok" is set to less than "8", this is a finding." --> <OrganizationalSetting id="V-204411" ContainsLine="difok = 8" DoesNotContainPattern="#\s*difok\s*=.*|^\s*difok\s*=\s*(-|)[0-7]$" /> <!-- Ensure that the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "minclass" is set to less than "4", this is a finding." --> <OrganizationalSetting id="V-204412" ContainsLine="minclass = 4" DoesNotContainPattern="^#\s*minclass\s*=.*|^\s*minclass\s*=\s*(?!\d{2,})[1-3]" /> <!-- Ensure that the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "maxrepeat" is set to more than "3", this is a finding." --> <OrganizationalSetting id="V-204413" ContainsLine="maxrepeat = 3" DoesNotContainPattern="^#\s*maxrepeat\s*=.*|^\s*maxrepeat\s*=\s*(?:\d{2,}|[4-9])" /> <!-- Ensure that the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "maxclassrepeat" is set to more than "4", this is a finding." --> <OrganizationalSetting id="V-204414" ContainsLine="maxclassrepeat = 4" DoesNotContainPattern="^#\s*maxclassrepeat\s*=.*|^\s*maxclassrepeat\s*=\s*(?:\d{2,}|[1-3|5-9])" /> <!-- Ensure that the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding." --> <OrganizationalSetting id="V-204418" ContainsLine="PASS_MIN_DAYS 1" DoesNotContainPattern="^\s*PASS_MIN_DAYS\s*[0]*$|#\s*PASS_MIN_DAYS.*" /> <!-- Ensure that the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, this is a finding." --> <OrganizationalSetting id="V-204420" ContainsLine="PASS_MAX_DAYS 60" DoesNotContainPattern="^\s*PASS_MAX_DAYS\s*([6][1-9]|[7-9][0-9]|\d{3,})$|#\s*PASS_MAX_DAYS.*" /> <!-- Ensure that the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the command does not return a "minlen" value of 15 or greater, this is a finding." --> <OrganizationalSetting id="V-204423" ContainsLine="minlen = 15" DoesNotContainPattern="^\s*minlen\s*=\s*([0-9]|[1][1-4])$|#\s*minlen.*" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "INACTIVE" is set to "-1", a value greater than "35", is commented out, or is not defined, this is a finding." --> <OrganizationalSetting id="V-204426" ContainsLine="INACTIVE=35" DoesNotContainPattern="^#\s*INACTIVE\s*=.*|^\s*INACTIVE\s*=\s*(3[5-9]|[4-9]\d+|\d{3,})" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding." --> <OrganizationalSetting id="V-204431" ContainsLine="FAIL_DELAY 4" DoesNotContainPattern="^#\s*FAIL_DELAY.*|^FAIL_DELAY\s*(?!\d{2,})[1-3]" /> <!-- Ensure the IP address of the log aggregation server is defined; i.e.: remote_server = <IPAddress> --> <OrganizationalSetting id="V-204509" ContainsLine="" DoesNotContainPattern="" /> <!-- Ensure the value of the "disk_full_action" option is set to "SYSLOG", "SINGLE", or "HALT"; i.e.: "disk_full_action = single" --> <OrganizationalSetting id="V-204511" ContainsLine="disk_full_action = single" DoesNotContainPattern="^#\s*disk_full_action\s*=.*|^disk_full_action\s*=\s*(?!halt\b|single\b|syslog\b)\w+" /> <!-- Ensure the "network_failure_action" option is set to "SYSLOG", "SINGLE", or "HALT"; i.e.: "network_failure_action = syslog" --> <OrganizationalSetting id="V-204512" ContainsLine="network_failure_action = syslog" DoesNotContainPattern="^#\s*network_failure_action\s*=.*|^network_failure_action\s*=\s*(?!halt\b|single\b|syslog\b)\w+" /> <!-- Ensure the value of the "space_left" keyword is not set to 25 percent of the total partition size--> <OrganizationalSetting id="V-204513" ContainsLine="" DoesNotContainPattern="" /> <!-- Ensure the value of the "action_mail_acct" keyword is set to "root" and/or other accounts for security personnel; i.e.: "action_mail_acct = root" --> <OrganizationalSetting id="V-204515" ContainsLine="action_mail_acct = root" DoesNotContainPattern="^#\s*action_mail_acct.*|^action_mail_acct\s*=\s*(?!root\b)\w+" /> <!-- Ensure the "maxlogins" value is set to "10" or less --> <OrganizationalSetting id="V-204576" Contents="* hard maxlogins 10" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the file "/etc/profile.d/tmout.sh" does not exist with the contents shown above, the value of "TMOUT" is greater than 900, or the timeout values are commented out, this is a finding.--> <OrganizationalSetting id="V-204579.b" ContainsLine="declare -xr TMOUT=900" DoesNotContainPattern="^\s*TMOUT\s*=\s*[0-8]?[0-9]?[0-9]?$|^#\s*TMOUT.*" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." --> <OrganizationalSetting id="V-204587" ContainsLine="ClientAliveInterval 600" DoesNotContainPattern="^\s*ClientAliveInterval\s*[0-5]?[0-9]?[0-9]?\s*$|^#\s*ClientAliveInterval.*|^\s*ClientAliveInterval\s*$" /> <!-- Ensure the "Defaults timestamp_timeout=[value]" must be a number that is greater than or equal to "0" --> <OrganizationalSetting id="V-237635" Contents="Defaults timestamp_timeout=0" /> <!-- Ensure "set superusers =" is set to a unique name in /boot/grub2/grub.cfg--> <OrganizationalSetting id="V-244557" ContainsLine="" DoesNotContainPattern="" /> <!-- Ensure "set superusers =" is set to a unique name in /boot/efi/EFI/redhat/grub.cfg--> <OrganizationalSetting id="V-244558" ContainsLine="" DoesNotContainPattern="" /> </OrganizationalSettings> |