Dev/STIG

From Whonix
< Dev
Jump to navigation Jump to search

DISA STIG (Security Technical Implementation Guides) Audit with Comments

Conclusion[edit]

Initial impression:

  • Mostly applicable to governmental or enterprise environments.
  • Whonix / Kicksecure is not an enterprise operating system yet. Such a flavor might be possible in future if an enterprise pays for implementation of these features / such a flavor.
  • Lots of false positives.
  • Doesn't test for and/or find anything catastrophic such as remote exploitable vulnerabilities.
  • Would still be useful to work through the list and add comments for any reported failure.

forum discussionarchive.org

Raw Output[edit]

See Dev/STIG/raw.

Commented Output[edit]

Run in Qubes-Whonix-Workstation.

TODO: add comments

[ FAIL ] The cryptographic hash of system files and commands must match vendor values.
bash scripts/check-package-verify.sh >/dev/null 2>&1 &
spinner $!
output "SV-86479r2_rule" $?

Probably porting issue. check-package-verify.sharchive.org does not test anything security relevant.

[ FAIL ] The operating system must have the screen package installed.

Not security relevant.

[ FAIL ] When passwords are changed or new passwords are established, the new password must contain at least one upper-case character.
[ FAIL ] When passwords are changed or new passwords are established, the new password must contain at least one lower-case character.
[ FAIL ] When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.
[ FAIL ] When passwords are changed or new passwords are assigned, the new password must contain at least one special character.
[ FAIL ] When passwords are changed a minimum of eight of the total number of characters must be changed.
[ FAIL ] When passwords are changed a minimum of four character classes must be changed.
[ FAIL ] When passwords are changed the number of repeating consecutive characters must not be more than four characters.
[ FAIL ] When passwords are changed the number of repeating characters of the same character class must not be more than four characters.

[1] Defended in other ways. See Dev/Permissions. Unclear rationale. Discussed here: https://forums.whonix.org/t/enforce-minimum-password-strength-pam-cracklib/8972/4archive.org

[ PASS ] The PAM system service must be configured to store only encrypted representations of passwords.

TODO

[ PASS ] The shadow file must be configured to store only encrypted representations of passwords.

TODO

[ FAIL ] Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime.
[ FAIL ] Passwords must be restricted to a 24 hours/1 day minimum lifetime.
[ PASS ] Passwords for new users must be restricted to a 60-day maximum lifetime.
[ FAIL ] Existing passwords must be restricted to a 60-day maximum lifetime.
[ FAIL ] Passwords must be prohibited from reuse for a minimum of five generations.
[ FAIL ] Passwords must be a minimum of 15 characters in length.

Same as [1].

[ FAIL ] The system must not have accounts configured with blank or null passwords.

TODO

[ FAIL ] The SSH daemon must not allow authentication using an empty password.

[2] Not applicable. SSH is not installed by default.

[ FAIL ] The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.

Same as [1].

Expiry limits would likely just annoy users. This might be more useful in an enterprise context where shoulder surfing might be an issue.

TODO: document shoulder surfing

[ FAIL ] Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period.

Same as [1].

Set to 50 before unlockk procedure is required. 50 attempts is far to less for bruteforce.

Setting it to 3 might fall victim to some bugs. There are cases involving sudo where 1 login attempt is recognized as 3 due to pasting text by mistake into the terminal emulator. We might incrementally lower 50 over the releases if that seems worthwhile but not to 3. Can be discussed in https://forums.whonix.org/t/protect-linux-user-accounts-against-brute-force-attacks/7698archive.org

[ FAIL ] If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked.

Same as [1].

root login is disabled by default.

[ FAIL ] Users must provide a password for privilege escalation.

Qubes issue: https://github.com/QubesOS/qubes-issues/issues/2695archive.org

[ PASS ] Users must re-authenticate for privilege escalation.

OK.

[ FAIL ] The delay between logon prompts following a failed console logon attempt must be at least four seconds.

Same as [1].

[ FAIL ] The operating system must not allow users to override SSH environment variables.

TODO

[ FAIL ] The operating system must not allow a non-certificate trusted host SSH logon to the system.

Same as [2].

[ PASS ] Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.

This test can't possibly work inside a VM.

[ PASS ] Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.

This test can't possibly work inside a VM.

[ PASS ] The rsh-server package must not be installed.
[ PASS ] The ypserv package must not be installed.
[ PASS ] A file integrity tool must verify the baseline operating system configuration at least weekly.
[ PASS ] The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

OK.

[ FAIL ] The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.

TODO

[ PASS ] The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.
[ PASS ] USB mass storage must be disabled.
[ PASS ] File system automounter must be disabled unless required.
grep: /boot/grub/grub.cfg: No such file or directory

OK.

[ FAIL ] The operating system must enable AppArmor.

False positive. AppArmor is enabled.

[ FAIL ] The x86 Ctrl-Alt-Delete key sequence must be disabled.

TODO

[ FAIL ] The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

TODO

[ FAIL ] The operating system must be a vendor supported release.

TODO

[ FAIL ] Vendor packaged system security patches and updates must be installed and up to date.

TODO

[ PASS ] All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file.
[ PASS ] The root account must be the only account having unrestricted access to the system.
[ PASS ] All files and directories must have a valid owner.
[ PASS ] All files and directories must have a valid group owner.
[ PASS ] All local interactive users must have a home directory assigned in the /etc/passwd file.

OK.

[ FAIL ] All local interactive user accounts, upon creation, must be assigned a home directory.

TODO

[ FAIL ] All local interactive user home directories defined in the /etc/passwd file must exist.

TODO

[ PASS ] All local interactive user home directories must have mode 0750 or less permissive.
[ PASS ] All local interactive user home directories must be owned by their respective users.
[ PASS ] All local interactive user home directories must be group-owned by the home directory owners primary group.

OK.

[ FAIL ] All files and directories contained in local interactive user home directories must be owned by the owner of the home directory.
[ FAIL ] All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member.
[ FAIL ] All files and directories contained in local interactive user home directories must have mode 0750 or less permissive.

TODO

[ PASS ] All local initialization files for interactive users must be owned by the home directory user or root.
[ PASS ] Local initialization files for local interactive users must be group-owned by the users primary group or root.

OK.

[ FAIL ] All local initialization files must have mode 0740 or less permissive.

TODO

[ PASS ] All local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.
[ PASS ] Local initialization files must not execute world-writable programs.

OK.

[ FAIL ] File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.

TODO: in development https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707archive.org

[ PASS ] File systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.

OK.

[ FAIL ] File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.

TODO.

[ PASS ] All world-writable directories must be group-owned by root, sys, bin, or an application group.

OK.

[ FAIL ] The umask must be set to 077 for all local interactive user accounts.

Better solution. Home folder not accessible by others at all by default.

[ FAIL ] Cron logging must be implemented.

Same as [3].

[ PASS ] Kernel core dumps must be disabled unless needed.
[ PASS ] A separate file system must be used for user home directories (such as /home or an equivalent).

OK.

[ FAIL ] The system must use a separate file system for /var.
[ FAIL ] The system must use a separate file system for the system audit data path.
[ FAIL ] The system must use a separate file system for /tmp (or equivalent).

TODO

[ PASS ] The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
[ FAIL ] The file integrity tool must be configured to verify Access Control Lists (ACLs).

TODO

[ FAIL ] The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.

TODO

[ PASS ] The system must not allow removable media to be used as the boot loader unless approved.
[ PASS ] The telnet-server package must not be installed.

OK.

[ FAIL ] Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events.

TODO

[ FAIL ] The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.

TODO

[ FAIL ] The operating system must off-load audit records onto a different system or media from the system being audited.

TODO

[ FAIL ] The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.

TODO

[ FAIL ] The audit system must take appropriate action when the audit storage volume is full.

TODO

[ FAIL ] The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

TODO

[ FAIL ] The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.

TODO

[ FAIL ] The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.

TODO

[ FAIL ] All uses of the chown command must be audited.
[ FAIL ] All uses of the fchown command must be audited.
[ FAIL ] All uses of the lchown command must be audited.
[ FAIL ] All uses of the fchownat command must be audited.
[ FAIL ] All uses of the chmod command must be audited.
[ FAIL ] All uses of the fchmod command must be audited.
[ FAIL ] All uses of the fchmodat command must be audited.
[ FAIL ] All uses of the setxattr command must be audited.
[ FAIL ] All uses of the fsetxattr command must be audited.
[ FAIL ] All uses of the lsetxattr command must be audited.
[ FAIL ] All uses of the removexattr command must be audited.
[ FAIL ] All uses of the fremovexattr command must be audited.
[ FAIL ] All uses of the lremovexattr command must be audited.
[ FAIL ] All uses of the creat command must be audited.
[ FAIL ] All uses of the open command must be audited.
[ FAIL ] All uses of the openat command must be audited.
[ FAIL ] All uses of the open_by_handle_at command must be audited.
[ FAIL ] All uses of the truncate command must be audited.
[ FAIL ] All uses of the ftruncate command must be audited.

TODO

[ FAIL ] The operating system must generate audit records for all successful/unsuccessful account access count events.
[ FAIL ] The operating system must generate audit records for all unsuccessful account access events.
[ FAIL ] The operating system must generate audit records for all successful account access events.

TODO

[ FAIL ] All uses of the passwd command must be audited.
[ FAIL ] All uses of the unix_chkpwd command must be audited.
[ FAIL ] All uses of the gpasswd command must be audited.
[ FAIL ] All uses of the chage command must be audited.
[ FAIL ] All uses of the su command must be audited.
[ FAIL ] All uses of the sudo command must be audited.
[ FAIL ] All uses of the sudoers command must be audited.
[ FAIL ] All uses of the newgrp command must be audited.
[ FAIL ] All uses of the chsh command must be audited.
[ FAIL ] All uses of the sudoedit command must be audited.
[ FAIL ] All uses of the mount command must be audited.
[ FAIL ] All uses of the umount command must be audited.
[ FAIL ] All uses of the postqueue command must be audited.
[ FAIL ] All uses of the ssh-keysign command must be audited.
[ FAIL ] All uses of the crontab command must be audited.
[ FAIL ] All uses of the pam_timestamp_check command must be audited.
[ FAIL ] All uses of the init_module command must be audited.
[ FAIL ] All uses of the delete_module command must be audited.
[ FAIL ] All uses of the insmod command must be audited.
[ FAIL ] All uses of the rmmod command must be audited.
[ FAIL ] All uses of the modprobe command must be audited.

TODO

[ FAIL ] The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

TODO

[ FAIL ] All uses of the rename command must be audited.
[ FAIL ] All uses of the renameat command must be audited.
[ FAIL ] All uses of the rmdir command must be audited.
[ FAIL ] All uses of the unlink command must be audited.
[ FAIL ] All uses of the unlinkat command must be audited.

TODO

[ FAIL ] The system must send rsyslog output to a log aggregation server.

Same as [3].

Maybe Qubes LogVM https://github.com/Zrubi/Qubes-LogVMarchive.org

[ PASS ] The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation.

TODO: probably OK since not using rsyslog and even if so there are no open server ports by default.

[ FAIL ] The system must use a DoD-approved virus scan program.
[ FAIL ] The system must update the DoD-approved virus scan program every seven days or more frequently.

Disagree as per malware.

[ FAIL ] The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.

TODO

[ FAIL ] A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications.

Same as [2].

[ FAIL ] All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.
[ FAIL ] The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts.

Not security relevant. Might be legally relevant for enterprise operating systems.

[ FAIL ] All networked systems must have SSH installed.
[ FAIL ] All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.
[ FAIL ] All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.

Same as [2].

[ FAIL ] The SSH daemon must not allow authentication using RSA rhosts authentication.
[ FAIL ] All network connections associated with SSH traffic must terminate after a period of inactivity.
[ FAIL ] The SSH daemon must not allow authentication using rhosts authentication.
[ FAIL ] The system must display the date and time of the last successful account logon upon an SSH logon.
[ FAIL ] The system must not permit direct logons to the root account using remote access via SSH.
[ FAIL ] The SSH daemon must not allow authentication using known hosts authentication.
[ PASS ] The SSH daemon must be configured to only use the SSHv2 protocol.
[ FAIL ] The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
[ PASS ] The SSH public host key files must have mode 0644 or less permissive.
[ PASS ] The SSH private host key files must have mode 0600 or less permissive.
[ FAIL ] The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
[ FAIL ] The SSH daemon must not permit Kerberos authentication unless needed.
[ FAIL ] The SSH daemon must perform strict mode checking of home directory configuration files.
[ FAIL ] The SSH daemon must use privilege separation.
[ FAIL ] The SSH daemon must not allow compression or must only allow compression after successful authentication.

Same as [2].

[ FAIL ] The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

Non-issue. See sdwdate / Time Attacks / Dev/TimeSync.

[ FAIL ] The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces.

Low severity as not a remote exploitable security vulnerability.

Would make sense to go beyond that and make sure that user "user" cannot DDOS the VM / host by capping maximum system resources to be used.

related: https://phabricator.whonix.org/T12archive.org

[ PASS ] The operating system must enable an application firewall, if available.

OK.

[ FAIL ] The system must display the date and time of the last successful account logon upon logon.

TODO: might make sense for Whonix Host and/or Kicksecure Host. Conflicts with log minimization. Maybe making sense for Kicksecure Host but not Whonix Host. Should be discussed later after first release of host operating system.

[ PASS ] There must be no .shosts files on the system.
[ PASS ] There must be no shosts.equiv files on the system.

TODO

[ PASS ] For systems using DNS resolution, at least two name servers must be configured.
[ PASS ] The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
[ PASS ] The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
[ PASS ] The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
[ PASS ] The system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
[ PASS ] The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
[ PASS ] The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
[ PASS ] Network interfaces must not be in promiscuous mode.
[ PASS ] A File Transfer Protocol (FTP) server package must not be installed unless needed.
[ PASS ] The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support.

OK.

[ FAIL ] Remote X connections for interactive users must be encrypted.

No remote X connections should be possible anyhow.

[ FAIL ] An X Windows display manager must not be installed unless approved.

It's "approved".

[ PASS ] The system must not be performing packet forwarding unless the system is a router.
Unit autofs.service could not be found.
[ PASS ] The system must not forward IPv6 source-routed packets.

OK.

[ FAIL ] When passwords are changed or new passwords are established, pwquality must be used.
xen on /proc/xen type xenfs (rw,relatime)
[ FAIL ] File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.

Not applicable. NFS not installed by default.

[ FAIL ] The audit system must take appropriate action when there is an error sending audit records to a remote system.

[3] Not applicable. There is no enterprise operating system (yet) where logs are sent to remotes. Local logs only.

[ FAIL ] The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
[ FAIL ] The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
[ FAIL ] The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
[ FAIL ] The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.

TODO: this might be a false positive but need to look into that test code

[ PASS ] The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
[ PASS ] Wireless network adapters must be disabled.

Currently OK inside VMs but once Whonix Host and/or Kicksecure Host are released we might ignore this since different target user group.

Manually Checking Part

SV-86473r2_rule: The file permissions, ownership, and group membership of system files and commands must match the vendor values.
SV-86487r1_rule: The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
SV-86519r3_rule: The operating system must set the idle delay setting for all connection types.
SV-86523r1_rule: The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.
SV-86525r1_rule: The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.
SV-86547r2_rule: User and group account administration utilities must be configured to store only encrypted representations of passwords.
SV-86589r1_rule: The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
SV-86719r2_rule: All privileged function executions must be audited.
SV-86805r2_rule: All uses of the pt_chown command must be audited. pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie. In the Debian stretch has been abandoned.
SV-86843r1_rule: The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.
SV-86851r2_rule: The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.
SV-86921r2_rule: The system must be configured to prevent unrestricted mail relaying.
SV-86929r1_rule: If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.
SV-86935r3_rule: The Network File System (NFS) must be configured to use RPCSEC_GSS.
SV-86939r1_rule: The system access control program must be configured to grant or deny system access to specific hosts and services.
SV-86941r1_rule: The system must not have unauthorized IP tunnels configured.
SV-87041r2_rule: The operating system must have the required packages for multifactor authentication installed.
SV-87051r2_rule: The operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
SV-87057r2_rule: The operating system must implement certificate status checking for PKI authentication.
SV-87059r2_rule: The operating system must implement smart card logons for multifactor authentication for access to privileged accounts.
SV-86625r1_rule: The system must not have unnecessary accounts.
SV-86599r1_rule: Designated personnel must be notified if baseline configurations are changed in an unauthorized manner.
SV-86611r1_rule: The operating system must remove all software components after updated versions have been installed. Same to autoremove on the debian.

TODO

Pass Count:  53
Failed Count:  136

Not useful look at counter and use for conclusions.

Footnotes[edit]

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!