FreeBSD 10
FreeBSD 10 - Custom. Version v1 r1, released Oct. 5, 2018.
FreeBSD-10-000140: The operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. If it does not, this is a finding. Ensure telnet is disabled: $ grep telnet /etc/inetd.conf
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. Satisfies: SRG-OS-000033-GPOS-00014
Fix
Configure the operating system to implement DoD-approved encryption to protect the confidentiality of remote access sessions.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000640: The information system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.
Verify the operating system is configured such that emergency administrator accounts are automatically removed or disabled within 72 hours. If it is not, this is a finding. List all the user accounts on the system as well as their expiration times: # cut -d: -f1,7 /etc/master.passwd Ask the SA which accounts are emergency accounts, if any. If any emergency accounts do not have an expiration within 72 hours, this is a finding.
Discussion
Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000123-GPOS-00064
Fix
Configure the operating system such that emergency administrator accounts are automatically removed or disabled within 72 hours.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000410: The operating system must store only encrypted representations of passwords.
Verify the operating system stores only encrypted representations of passwords. If it does not, this is a finding. The "/etc/master.passwd" file must use SHA512 hahes. To check, first verify all passwords are hashed using a SHA algorithm: $ cat /etc/master.passwd # $FreeBSD: releng/10.4/etc/master.passwd 256366 2013-10-12 06:08:18Z rpaulo $ # toor:*:0:0::0:0:Bourne-again Superuser:/root: daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5::0:0:System &:/:/usr/sbin/nologin bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin unbound:*:59:59::0:0:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin jimbo:$6$2jEuW4XAaFWVN0FR$8jvpYm.c5lQk2BDq6MlhWuAcUBSXjpM/KFPRRUgima/9GBanbkWo6dCOO3THzXT8NTZJQSLTQYp/0d4wC5J080:1001:1001::0:0:Jim:/home/jimbo:/bin/sh Any user without a '*' in the second column has a password and that password must start with "$6$". To verify hashes are SHA512 and not SHA256, $ grep format /etc/login.conf :passwd_format=sha512:\ # :passwd_format=des:\ Ensure the not-commmented-out line indicates sha512.
Discussion
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041
Fix
Configure the operating system to store only encrypted representations of passwords.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001150: The operating system must control remote access methods.
Verify the operating system controls remote access methods. If it does not, this is a finding. Ensure PF is enabled: $ grep pf_ /etc/rc.conf pf_enable="YES" pf_flags="" "pf_enable" must be set to YES. (There may be additional lines.) If it is not, this is a finding.
Discussion
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). Satisfies: SRG-OS-000297-GPOS-00115
Fix
Configure the operating system to control remote access methods.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000120: The operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
Verify the operating system conceals, via the session lock, information previously visible on the display with a publicly viewable image. If it does not, this is a finding. For graphical displays with Gnome, the screensaver should be configured to be blank: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode If this is not "blank-only" and GNOME is in use this is a finding.
Discussion
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed. Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. Satisfies: SRG-OS-000031-GPOS-00012
Fix
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-002300: The operating system must limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
Verify the operating system limits the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders. If it does not, this is a finding. $ ls -l /home/ All directories should indicate they are owned by their users and have appropriate permissions. If directories are stored somewhere else, check there.
Discussion
>Users' home directories/folders may contain information of a sensitive nature. Non-privileged users should coordinate any sharing of information with an SA through shared resources. Satisfies: SRG-OS-000480-GPOS-00230
Fix
Configure the operating system to limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000020: The operating system must automatically remove or disable temporary user accounts after 72 hours.
Verify the operating system automatically removes or disables local temporary user accounts after 72 hours. If it does not, this is a finding. List all the user accounts on the system as well as their expiration times: # cut -d: -f1,7 /etc/master.passwd Ask the SA which accounts are temporary accounts, if any. If any temporary accounts do not have an expiration within 72 hours, this is a finding.
Discussion
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000002-GPOS-00002
Fix
Configure the operating system to automatically remove or disable local temporary user accounts after 72 hours.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000440: Operating systems must enforce a 60-day maximum password lifetime restriction.
Verify operating system enforces a 60-day maximum password lifetime restriction. If it does not, this is a finding. $ cat /etc/login.conf Ensure "passwordtime" is set under the "default" section and any other sections in use. If it is not set or is set to more than 60d, this is a finding.
Discussion
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Satisfies: SRG-OS-000076-GPOS-00044
Fix
Configure operating system to enforce a 60-day maximum password lifetime restriction.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000130: The operating system must monitor remote access methods.
Verify the operating system monitors remote access methods. If it does not, this is a finding. SSH does this by default to syslog auth. Verify that SSH is enabled: $ grep sshd /etc/rc.conf sshd_enable=YES If sshd_enable=YES does not appear in this list, this is not a finding. Verify logging configuration: $ grep -i log /etc/ssh/sshd_config # Logging SyslogFacility AUTH LogLevel INFO If LogLevel is set to "QUIET", this is a finding.
Discussion
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). Satisfies: SRG-OS-000032-GPOS-00013
Fix
Configure the operating system to monitor remote access methods.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-002150: The operating system must generate audit records for privileged activities or other system-level access.
Verify the operating system generates audit records for privileged activities or other system-level access. If it does not, this is a finding. To check if auditing is in place: $ grep auditd /etc/rc.conf A line indicating auditing is enabled should be returned. Check which audits occur: $ cat /etc/security/audit_class $ cat /etc/security/audit_event These two files document the types of audit events available. $ cat /etc/security/audit_control $ cat /etc/security/audit_user These two document what is actually audited by default (audit_control) and per-user (audit_user). If "ad" or "aa" are not audited, this is a finding. The FreeBSD "audit_*" (5) manpages document each file's format. For example, see "man 5 audit_user" and "man 5 audit_control" for details on the user and control auditing files.
Discussion
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000471-GPOS-00215
Fix
Configure the operating system to generate audit records for privileged activities or other system-level access.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000060: The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system.
Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." If it does not, this is a finding. $ cat /etc/motd $ cat /etc/issue Direct console logins will display these messages, one or the other should reflect the banner. $ grep -i banner /etc/ssh/sshd_config SSH defaults to /etc/motd if not set in config file.
Discussion
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read consent to terms in IS user agreem't." Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007
Fix
Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-002280: The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. If it does not, this is a finding. $ grep umask /etc/login.conf Ensure the umask is set to 077 or more restricted. $ grep umask /etc/profile Ensure the /etc/login.conf umask isn't overridden.
Discussion
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. Satisfies: SRG-OS-000480-GPOS-00228
Fix
Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000930: The operating system must implement cryptography to protect the integrity of remote access sessions.
Verify the operating system implements cryptography to protect the integrity of remote access sessions. If it does not, this is a finding. Verify the SSH daemon is configured to only use MACs employing FIPS 140-2 approved ciphers. Check that the SSH daemon is configured to only use MACs employing FIPS 140-2 approved ciphers with the following command: # grep -i macs /etc/ssh/sshd_config MACs hmac-sha2-256,hmac-sha2-512 If any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the returned line is commented out, or does not exist, this is a finding.
Discussion
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
Fix
Configure the operating system to implement cryptography to protect the integrity of remote access sessions.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-002320: The operating system must enable an application firewall, if available.
Verify the operating system enabled an application firewall, if available. If it does not, this is a finding. If the operating system does not support an application firewall, this may be downgraded to a CAT III finding. $ grep pf_ /etc/rc.conf pf_enable="YES" pf_flags="" "pf_enable" must be set to YES. (There may be additional lines.)
Discussion
Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network. Satisfies: SRG-OS-000480-GPOS-00232
Fix
Ensure the operating system's application firewall is enabled, if available.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000270: The operating system must protect audit information from unauthorized read access, modification or deletion.
Verify the operating system protects audit information from unauthorized read access, modification or deltion. If it does not, this is a finding. # grep dir: /etc/security/audit_control | awk -F':' '{print $2}' | xargs ls -l If the audit files are readable, writable, or owned by any users or groups other than root or audit, this is a finding. # ls -l /etc/security/ If the audit configuration files are readable, writable, or owned by any users or groups other than root or wheel, this is a finding.
Discussion
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification or deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
Fix
Configure the operating system to protect audit information from unauthorized read access, modification or deletion.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000010: The operating system must provide automated mechanisms for supporting account management functions.
Verify the operating system provides automated mechanisms for supporting account management functions. If it does not, this is a finding. FreeBSD lacks a standardized way to handle many of these functions. Ask the system administrator if such a system is in place or if LDAP is used for authentication.
Discussion
Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors. A comprehensive account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended or terminated, or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The automated mechanisms may reside within the operating system itself or may be offered by other infrastructure providing automated account management capabilities. Automated mechanisms may be composed of differing technologies that, when placed together, contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include: assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage. Satisfies: SRG-OS-000001-GPOS-00001
Fix
Configure the operating system to provide automated mechanisms for supporting account management functions.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000400: The operating system must not allow passwords to be simlilar to previous ones.
Verify the operating system does not allow passwords to be similiar to previous ones. FreeBSD password quality checks are performed by pam_passwdqc. Verify it is installed and in-use: $ cat /etc/pam.d/passwd password requisite pam_passwdqc.so enforce=everyone min=disabled,disabled,disabled,disabled,15 similar=deny password required pam_unix.so no_warn try_first_pass nullok Ensure pam_passwdqc.so is not commented out and contains the settings "enforce=everyone" and "similar=deny". If it does not, this is a finding.
Discussion
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. Satisfies: SRG-OS-000072-GPOS-00040
Fix
Configure the operating system to not allow passwords to be similar to previous ones.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001450: The operating system must record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision.
Verify the operating system records time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision. If it does not, this is a finding. FreeBSD has millisecond level auditing by default, but to verify against the current audit log: $ praudit /var/audit/*.not_terminated | head -n 20
Discussion
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the operating system include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks. Satisfies: SRG-OS-000358-GPOS-00145
Fix
Configure the operating system to record time stamps for audit records that meet a minimum granularity of one second for a minimum degree of precision.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001170: The operating system must protect wireless access to and from the system using encryption.
Verify the operating system protects wireless access to and from the system using encryption. If it does not, this is a finding. Ask the system administrator if Wifi or other wireless system is in use on the system.
Discussion
Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted, it is necessary to use encryption to protect the confidentiality of information in transit. Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. This requirement applies to those operating systems that control wireless devices. Satisfies: SRG-OS-000299-GPOS-00117, SRG-OS-000481-GPOS-000481
Fix
Configure the operating system to protect wireless access to and from the system using encryption.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000880: Any publicly accessible connection to the operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." If it does not, this is a finding.
Discussion
Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." Satisfies: SRG-OS-000228-GPOS-00088
Fix
Configure any publicly accessible connection to the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000610: The operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Inspect the "password" section of "/etc/pam.d/system", "/etc/pam.d/sshd", and "/etc/pam.d/passwd" other files in "/etc/pam.d" to identify the number of occurrences where the "pam_unix.so" module is used in the "password" section. $ grep -E -c 'password.*pam_unix.so' /etc/pam.d/* /etc/pam.d/README:0 /etc/pam.d/atrun:0 /etc/pam.d/cron:0 /etc/pam.d/ftp:0 /etc/pam.d/ftpd:0 /etc/pam.d/imap:0 /etc/pam.d/login:0 /etc/pam.d/other:0 /etc/pam.d/passwd:1 /etc/pam.d/pop3:0 /etc/pam.d/rsh:0 /etc/pam.d/sshd:1 /etc/pam.d/su:0 /etc/pam.d/system:1 /etc/pam.d/telnetd:1 /etc/pam.d/xdm:0 Note: The number adjacent to the file name indicates how many occurrences of the "pam_unix.so" module are found in the password section. If the "pam_unix.so" module is not defined in the "password" section of "system," "sshd", and "passwd" at a minimum, this is a finding. In addition, the "/etc/master.passwd" file must use SHA512 hahes. To check, first verify all passwords are hashed using a SHA algorithm: $ cat /etc/master.passwd # $FreeBSD: releng/10.4/etc/master.passwd 256366 2013-10-12 06:08:18Z rpaulo $ # toor:*:0:0::0:0:Bourne-again Superuser:/root: daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5::0:0:System &:/:/usr/sbin/nologin bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin unbound:*:59:59::0:0:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin jimbo:$6$2jEuW4XAaFWVN0FR$8jvpYm.c5lQk2BDq6MlhWuAcUBSXjpM/KFPRRUgima/9GBanbkWo6dCOO3THzXT8NTZJQSLTQYp/0d4wC5J080:1001:1001::0:0:Jim:/home/jimbo:/bin/sh Any user without a '*' in the second column has a password and that password must start with "$6$". To verify hashes are SHA512 and not SHA256, $ cat /etc/login.conf | grep format :passwd_format=sha512:\ # :passwd_format=des:\ Ensure the not-commmented-out line indicates sha512.
Discussion
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. Satisfies: SRG-OS-000120-GPOS-00061
Fix
Configure the operating system to use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000250: The operating system must provide the capability to filter audit records for events of interest based upon all audit fields within audit records.
Verify the operating system provides the capability to filter audit records for events of interest based upon all audit fields within audit records. If it does not, this is a finding. Ensure "auditreduce" is installed: $ which auditreduce /usr/sbin/auditreduce If the auditreduce utility is not found, this is a finding. If an alternative audit filtering capabiltity is in place this is not a finding.
Discussion
The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. Events of interest can be identified by the content of specific audit record fields, including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. This requires operating systems to provide the capability to customize audit record reports based on all available criteria. Satisfies: SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000353-GPOS-00141
Fix
Configure the operating system to provide the capability to filter audit records for events of interest based upon all audit fields within audit records.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-002140: The operating system must generate audit records when successful/unsuccessful logon attempts occur.
Verify the operating system generates audit records when successful/unsuccessful logon attempts occur. If it does not, this is a finding. To check if auditing is in place: $ grep auditd /etc/rc.conf A line indicating auditing is enabled should be returned. Check that user audits occur: $ cat /etc/security/audit_class This file provides a description of the various audit event short names (i.e., "lo" is "login_logout" by default). $ cat /etc/security/audit_control Ensure "flags" and "naflags" both contain "lo". $ cat /etc/security/audit_user Ensure loging/logout is not overriden for certain users.
Discussion
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220
Fix
Configure the operating system to generate audit records when successful/unsuccessful logon attempts occur.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001500: The operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner.
Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. If it does not, this is a finding. AIDE is one tool that may be used to check this. To see if AIDE is installed: # pkg info aide aide-0.16 Name : aide Version : 0.16 Installed on : Tue Mar 27 09:56:37 2018 UTC Origin : security/aide Architecture : FreeBSD:10:amd64 Prefix : /usr/local Categories : security Licenses : Maintainer : cy@FreeBSD.org WWW : https://sourceforge.net/projects/aide/ Comment : Replacement and extension for Tripwire Annotations : repo_type : binary repository : FreeBSD Flat size : 1.31MiB Description : AIDE is Advanced Intrusion Detection Environment. This piece of software was written as a replacement and extension for Tripwire. WWW: https://sourceforge.net/projects/aide/ If AIDE is not installed, pkg will say "No package(s) matching aide." To see if it runs periodically: $ cat /etc/crontab $ ls /etc/cron.d/* One of these may indicate that AIDE is being run. Other auditing software is available, such as Tripwire. Ask the system adminitrator if they are using an alternative system.
Discussion
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. Satisfies: SRG-OS-000363-GPOS-00150
Fix
Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001340: The operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
Verify the operating system immediately notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. If it does not, this is a finding. # cat /etc/security/audit_control If the value of minfree is not set to 25% of the audit record storage volume, this is a finding. If minfree is not set, this is a finding, since the default set by the kernel is 20%.
Discussion
If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion. Satisfies: SRG-OS-000343-GPOS-00134
Fix
Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001990: The operating system must verify correct operation of all security functions.
Verify the operating system verifies correct operation of all security functions. If it does not, this is a finding. AIDE is one tool that may be used to check this. To see if AIDE is installed: # pkg info aide aide-0.16 Name : aide Version : 0.16 Installed on : Tue Mar 27 09:56:37 2018 UTC Origin : security/aide Architecture : FreeBSD:10:amd64 Prefix : /usr/local Categories : security Licenses : Maintainer : cy@FreeBSD.org WWW : https://sourceforge.net/projects/aide/ Comment : Replacement and extension for Tripwire Annotations : repo_type : binary repository : FreeBSD Flat size : 1.31MiB Description : AIDE is Advanced Intrusion Detection Environment. This piece of software was written as a replacement and extension for Tripwire. WWW: https://sourceforge.net/projects/aide/ If AIDE is not installed, pkg will say "No package(s) matching aide." To see if it runs periodically: $ cat /etc/crontab $ ls /etc/cron.d/* One of these may indicate that AIDE is being run. Review the configuration of AIDE: $ find / -name aide.conf -print -exec cat {} \; Other auditing software is available, such as Tripwire. Ask the system adminitrator if they are using an alternative system.
Discussion
Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200
Fix
Configure the operating system to verify correct operation of all security functions.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000100: The operating system must initiate a session lock after a 15-minute period of inactivity for all connection types.
Verify the operating system initiates a session lock after a 15-minute period of inactivity for all connection types. If it does not, this is a finding. For console connections: $ cat /etc/login.conf Ensure "idletime" is set under the "default" section and any other sections in use. If it is not set or is set to more than 15m, this is a finding. For graphical displays with GNOME, the screensaver should lock: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled If this is not "true" and GNOME is in use this is a finding.
Discussion
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. Satisfies: SRG-OS-000029-GPOS-00010
Fix
Configure the operating system to initiate a session lock after a 15-minute period of inactivity for all connection types.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000570: The operating system must implement replay-resistant authentication mechanisms for network access.
Verify the operating system implements replay-resistant authentication mechanisms for network access. If it does not, this is a finding. # grep -i protocol /etc/ssh/sshd_config The returned line should indicate Protocol 2 is in use. If the returned line allows for use of Protocol 1, is commented out, or the line is missing, this is a finding.
Discussion
A replay attack may enable an unauthorized user to gain access to the operating system. Authentication sessions between the authenticator and the operating system validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058
Fix
Configure the operating system to implement replay-resistant authentication mechanisms for network access.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000330: The operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.
Verify the operating system generates audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding. Check which audits occur: $ cat /etc/security/audit_class $ cat /etc/security/audit_event These two files document the types of audit events available. $ cat /etc/security/audit_control $ cat /etc/security/audit_user These two document what is actually audited by default (audit_control) and per-user (audit_user). If "ad" events are not audited, this is a finding. The FreeBSD "audit_*" (5) manpages document each file's format. For example, see "man 5 audit_user" and "man 5 audit_control" for details on the user and control auditing files.
Discussion
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00216
Fix
Configure the operating system to generate audit records when successful/unsuccessful attempts to access privileges occur.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000790: The operating system must protect the confidentiality and integrity of all information at rest.
Verify the operating system protects the confidentiality and integrity of all information at rest. If it does not, this is a finding. Determine if encryption must be used to protect data on this system. One method of protecting a disk in FreeBSD is kernel-level encryption. Devices setup this way appear as ".bde" devices: $ ls /dev/ad*.bde If any devices are listed, an encrypted device is in use. There may be other at-rest data encyption in place. Ask the system adminstrator about other mechanisms.
Discussion
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184
Fix
Configure the operating system to protect the confidentiality and integrity of all information at rest.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000460: The operating system must enforce a minimum 15-character password length.
Verify the operating system enforces a minimum 15-character password length. If it does not, this is a finding. $ cat /etc/login.conf Ensure "minpasswordlen" is set under "default" and any other not commented-out section. If it is not set or is less than 15, this is a finding. FreeBSD password quality checks are performed by pam_passwdqc. Verify it is installed and in-use: $ cat /etc/pam.d/passwd password requisite pam_passwdqc.so enforce=everyone min=disabled,disabled,disabled,disabled,15 similar=deny password required pam_unix.so no_warn try_first_pass nullok If pam_passwdqc.so is not commented out, it must contain the settings "enforce=everyone" and "min=disabled,disabled,disabled,disabled,15" (the number in this may be larger). If a number less than 15 appears, this is a finding. If this line is commented out and "minpasswordlength" is correct, this is not a finding.
Discussion
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Satisfies: SRG-OS-000078-GPOS-00046
Fix
Configure the operating system to enforce a minimum 15-character password length.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001560: The operating system must require users to re-authenticate for privilege escalation.
Verify the operating system requires users to re-authenticate for privilege escalation. If it does not, this is a finding. First, ensure root has a password: $ grep root /etc/master.passwd If the second column is blank (ie, the line is "root::"), this is a finding. No password is set for root and users may use "su" freely. Second, if sudo is install ensure it isn't configured for NOPASSWD auth. $ grep NOPASSWD /usr/local/etc/sudoers If any NOPASSWD issues exist this is finding. If the file does not exist, sudo is likely not in use and this is NOT a finding.
Discussion
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. Satisfies: SRG-OS-000373-GPOS-00156
Fix
Configure the operating system to require users to re-authenticate for privilege escalation.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-002290: The operating system must not allow an unattended or automatic logon to the system.
If the operating system provides a public access service, such as a kiosk, this is not applicable. Verify the operating system does not allow an unattended or automatic logon to the system. If it does, this is a finding. Automatic logon as an authorized user allows access to any user with physical access to the operating system. For the console, first list all the virtual consoles created at boot: $ cat /etc/ttys # If console is marked "insecure", then init will ask for the root password # when going to single-user mode. console none unknown off secure # ttyv0 "/usr/libexec/getty Pc" xterm on secure # Virtual terminals ttyv1 "/usr/libexec/getty Pc" xterm on secure ttyv2 "/usr/libexec/getty Pc" xterm on secure ttyv3 "/usr/libexec/getty Pc" xterm on secure The name after "/usr/libexec/getty" corresponds to an entry in /etc/gettytab. $ cat /etc/gettytab Ensure none of the entries used in /etc/ttys has "al=username" in them. For GNOME, automatic login is controlled by /usr/local/etc/gdm/custom.conf $ grep Automatic /usr/local/etc/gdm/custom.conf Ensure AutomaticLoginEnable is not set to True.
Discussion
Failure to restrict system access to authenticated users negatively impacts operating system security. Satisfies: SRG-OS-000480-GPOS-00229
Fix
If the operating system provides a public access service, such as a kiosk, this is not applicable. Configure the operating system to not allow an unattended or automatic logon to the system. Automatic logon as an authorized user allows access to any user with physical access to the operating system.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001080: The operating system must use cryptographic mechanisms to protect the integrity of audit tools.
Verify the operating system uses cryptographic mechanisms to protect the integrity of audit tools. If it does not, this is a finding. AIDE is one tool that may be used to check this. To see if AIDE is installed: # pkg info aide aide-0.16 Name : aide Version : 0.16 Installed on : Tue Mar 27 09:56:37 2018 UTC Origin : security/aide Architecture : FreeBSD:10:amd64 Prefix : /usr/local Categories : security Licenses : Maintainer : cy@FreeBSD.org WWW : https://sourceforge.net/projects/aide/ Comment : Replacement and extension for Tripwire Annotations : repo_type : binary repository : FreeBSD Flat size : 1.31MiB Description : AIDE is Advanced Intrusion Detection Environment. This piece of software was written as a replacement and extension for Tripwire. WWW: https://sourceforge.net/projects/aide/ If AIDE is not installed, pkg will say "No package(s) matching aide." To see if it runs periodically: $ cat /etc/crontab $ ls /etc/cron.d/* One of these may indicate that AIDE is being run. $ grep audit /etc/aide.conf If there are no lines indicating audit binaries (audit and auditd) and audit configurations in /etc/security/ are being monitored, this is a finding. Other auditing software is available, such as Tripwire. Ask the system adminitrator if they are using an alternative system.
Discussion
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. Satisfies: SRG-OS-000278-GPOS-00108
Fix
Configure the operating system to use cryptographic mechanisms to protect the integrity of audit tools.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000320: The operating system must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
Verify the operating system allows only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. If it does not, this is a finding. $ ls -l /etc/security/ Ensure write permissions are limited to root/wheel.
Discussion
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Satisfies: SRG-OS-000063-GPOS-00032
Fix
Configure the operating system to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000590: The operating system must uniquely identify peripherals before establishing a connection.
Verify the operating system uniquely identifies peripherals before establishing a connection. If it does not, this is a finding. $ cat /etc/devd.conf Check if automounting is enabled by looking for a section similar to notify 100 { match "system" "GEOM"; match "subsystem" "DEV"; action "/usr/sbin/automount -c"; }; This file also lists other USB device configuration items. Broad matches with non-specific actions may be a finding.
Discussion
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. Satisfies: SRG-OS-000114-GPOS-00059
Fix
Configure the operating system to uniquely identify peripherals before establishing a connection.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001380: The operating system must provide a report generation capability that supports on-demand audit review and analysis.
Verify the operating system provides a report generation capability that supports on-demand audit review and analysis. If it does not, this is a finding. Ensure "praudit" is installed: $ which praudit /usr/sbin/praudit If the command is not found, this is a finding. If an alternative audit report generating capabiltity is in place, this is not a finding.
Discussion
The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. Report generation must be capable of generating on-demand (i.e., customizable, ad hoc, and as-needed) reports. On-demand reporting allows personnel to report issues more rapidly to more effectively meet reporting requirements. Collecting log data and aggregating it to present the data in a single, consolidated report achieves this objective. Satisfies: SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000354-GPOS-00142
Fix
Configure the operating system to provide a report generation capability that supports on-demand audit review and analysis.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001860: The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
Verify the operating system protects against or limits the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. If it does not, this is a finding. Ensure PF is enabled: $ grep pf_ /etc/rc.conf pf_enable="YES" pf_flags="" "pf_enable" must be set to YES. (There may be additional lines.) $ pfctl -s rules pass in inet proto tcp from any to 10.1.1.1 port = http flags S/SA keep state (source-track rule, max-src-conn-rate 100/10, overload <bad_hosts> flush global, src.track 10) If a rule does not exist that contains max-src-conn-rate, to rate limit connections to applicable interfaces, this is a finding.
Discussion
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. Satisfies: SRG-OS-000420-GPOS-00186
Fix
Configure the operating system to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000970: The operating system must protect audit tools from unauthorized access, modification or deletion.
Verify the operating system protects audit tools from unauthorized deletion. If it does not, this is a finding. $ ls -l `which praudit` Ensure the praudit executable is owned by root or the wheel group, and is not-writable by other users. $ ls -l /etc/security/audit* Ensure these files are owned by root or the wheel group, and that only root or the wheel group can write to these files.
Discussion
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the deletion of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
Fix
Configure the operating system to protect audit tools from unauthorized access, modification or deletion.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000520: The operating system must use multifactor authentication for network access to privileged and non-privileged accounts.
Verify the operating system uses multifactor authentication for network access to privileged and non-privileged accounts. If it does not, this is a finding. Ask the system administrator if multi-factor auth is used on the network.
Discussion
To assure accountability and prevent unauthenticated access, users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: 1) something a user knows (e.g., password/PIN); 2) something a user has (e.g., cryptographic identification device, token); and 3) something a user is (e.g., biometric). Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the Internet). The DoD CAC with DoD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053
Fix
Configure the operating system to use multifactor authentication for network access to privileged and non-privileged accounts.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000720: The operating system must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
Verify the operating system terminates all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements. If it does not, this is a finding. $ cat /etc/login.conf Ensure "idletime" is set under the "default" section and any other sections in use. If it is not set or is set to more than 10m, this is a finding.
Discussion
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
Fix
Configure the operating system to terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001430: The operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
Verify the operating system, for networked systems, compares internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). If it does not, this is a finding. Ensure NTP is enabled: $ grep ntpd_* /etc/rc.conf "ntpd_enable" should be set to YES. $ cat /etc/ntp.conf Verify the configuration of NTP.
Discussion
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144
Fix
Configure the operating system to, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000710: The operating system must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
Verify the operating system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. If it does not, this is a finding. The status of the "net.inet.tcp.syncookies" kernel parameter can be queried by running the following command: $ sysctl net.inet.tcp.syncookies The output of the command should indicate a value of "1". If this value is not "1", investigate how it could have been aduusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf". $ grep net.inet.tcp.syncookies /etc/sysctl.conf If an incorrect value is returned by sysctl, or configured improperly in /etc/sysctl.conf, this is a finding.
Discussion
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Satisfies: SRG-OS-000142-GPOS-00071
Fix
Configure the operating system to manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000370: The operating system must enforce password complexity.
Verify the operating system enforces password complexity by requiring that at least one upper-case character, one lower-case character, one numeric character, and one special character be used. If it does not, this is a finding. FreeBSD password quality checks are performed by pam_passwdqc. Verify it is installed and in-use: $ cat /etc/pam.d/passwd password requisite pam_passwdqc.so enforce=everyone min=disabled,disabled,disabled,disabled,15 similar=deny password required pam_unix.so no_warn try_first_pass nullok Ensure pam_passwdqc.so is not commented out and contains the settings "enforce=everyone" and "min=disabled,disabled,disabled,disabled,15" (the number in this may be larger). If it does not, this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000071-GPOS-00039, SRG-OS-000266-GPOS-00101
Fix
Configure the operating system to enforce password complexity.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000110: The operating system must provide the capability for users to directly initiate a session lock for all connection types.
Verify the operating system provides the capability for users to directly initiate a session lock for all connection types. If it does not, this is a finding. If GNOME is used on the system: $ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled If KDE or other desktop environment is used, checking proceedures will vary.
Discussion
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
Fix
Configure the operating system to provide the capability for users to directly initiate a session lock for all connection types.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000540: The operating system must use multifactor authentication for local access.
Verify the operating system uses multifactor authentication for local access. If it does not, this is a finding. One possible tool for this is pcsc. Check if this is enabled in rc.conf: $ grep pcsc /etc/rc.conf If PCSCD is not enabled, check with the system administrator if there is another method of using multifactor authentication.
Discussion
To assure accountability, prevent unauthenticated access, and prevent misuse of the system, users must utilize multifactor authentication for local access. Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: 1) Something you know (e.g., password/PIN); 2) Something you have (e.g., cryptographic identification device or token); and 3) Something you are (e.g., biometric). Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. The DoD CAC with DoD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162
Fix
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-000150: The operating system must produce audit records containing information to establish what type of events occurred.
Verify the operating system produces audit records containing information to establish what type of events occurred. If it does not, this is a finding. To check if auditing is in place: $ grep auditd /etc/rc.conf auditd_enable="YES" If auditd_enable does not equal "YES", this is a finding. $ service auditd status If auditd is not running, this is a finding.
Discussion
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000055-GPOS-00026, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000359-GPOS-00146
Fix
Configure the operating system to produce audit records containing information to establish what type of events occurred.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-002310: The operating system must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
Verify the operating system employs a deny-all, allow-by-exception firewall policy for allowing connections to other systems. If it does not, this is a finding. Ensure PF is enabled: $ grep pf_ /etc/rc.conf pf_enable="YES" pf_flags="" "pf_enable" must be set to YES. (There may be additional lines.) $ pfctl -s rules block drop all pass in proto tcp from any to any port = http flags S/SA keep state pass in proto tcp from any to any port = ssh flags S/SA keep state pass out proto tcp from any to any port = http flags S/SA keep state pass out proto tcp from any to any port = ssh flags S/SA keep state If the first line does not indicate "block drop all", this is a finding.
Discussion
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. Satisfies: SRG-OS-000480-GPOS-00231
Fix
Configure the operating system to employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
FreeBSD-10-001920: The operating system must implement non-executable data to protect its memory from unauthorized code execution.
Verify the operating system implements non-executable data to protect its memory from unauthorized code execution. If it does not, this is a finding. $ sysctl kern | grep nxstack kern.elf32.nxstack: 1 kern.elf64.nxstack: 1 If "1" is not displayed for elf32 and elf64, this is a finding.
Discussion
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks. Satisfies: SRG-OS-000433-GPOS-00192
Fix
Configure the operating system to implement non-executable data to protect its memory from unauthorized code execution.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None