ansible-lockdown/RHEL6-STIG

V1R24

jamescassell opened this issue · 1 comments

NEW

  • RHEL-06-000534 V-97229 fips=1 in the kernel cmdline
  • RHEL-06-000244 V-97231 FIPS compliant MACs in sshd_config

UPDATED

  • RHEL-06-000078 thru RHEL-06-000099 sysctl --system to enforce sysctl params, sysctl.d files are fine, too (I didn't verify our fixes for these, but this change is just a clarification)
  • RHEL-06-000067 V-38583 Removes check for UEFI grub.conf permissions (I didn't verify our fix, but this change is a relaxing of the previous rule, so any deficiency should be in an already-open ticket.)
  • RHEL-06-000223 V-38609 tftp okay if documented and approved by ISSO
  • RHEL-06-000243 V-38617 sshd_config: removes cbc-mode ciphers from the example list in favor of ctr ciphers, but check does not meaningfully change "fips approved" is the requirement:
-Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr

https://vaulted.io/library/disa-stigs-srgs/red_hat_enterprise_linux_6_security_technical_implementation_guide?version=V1R23&compareto=V1R24

(There was no RHEL 6 STIG update today, but there was an updated benchmark.)