Guide to the Secure Configuration of Red Hat Enterprise Linux 8
with profile [DRAFT] DISA STIG for Red Hat Enterprise Linux 8This profile contains configuration checks that align to the [DRAFT] DISA STIG for Red Hat Enterprise Linux 8. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Evaluation Characteristics
Evaluation target | localhost.localdomain |
---|---|
Target ID | podman-image://c195d38e471bf6fa3150a01717252bff61e2dc65dffbfa398bb7a5838dad467d [localhost/twistlock/private:console_20_12_541] |
Benchmark URL | scap-security-guide-0.1.54/ssg-rhel8-ds.xml |
Benchmark ID | xccdf_org.ssgproject.content_benchmark_RHEL-8 |
Benchmark version | 0.1.54 |
Profile ID | xccdf_org.ssgproject.content_profile_stig |
Started at | 2021-02-11T19:31:22+00:00 |
Finished at | 2021-02-11T19:31:22+00:00 |
Performed by | unknown user |
Test system | cpe:/a:redhat:openscap:1.3.3 |
CPE Platforms
- cpe:/o:redhat:enterprise_linux:8
Addresses
Compliance and Scoring
Rule results
Severity of failed rules
Score
Scoring system | Score | Maximum | Percent |
---|---|---|---|
urn:xccdf:scoring:default | 50.983795 | 100.000000 |
Rule Overview
Result Details
Install AIDE
Rule ID | xccdf_org.ssgproject.content_rule_package_aide_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80844-4 References: 1.4.1, 5.10.1.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, BP28(R51), SRG-OS-000363-GPOS-00150, 1034, 1288, 1341, 1417 |
Description | The $ sudo yum install aide |
Rationale | The AIDE package must be installed if it is to be available for integrity checking. |
Enable FIPS Mode
Rule ID | xccdf_org.ssgproject.content_rule_enable_fips_mode |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80942-6 References: CCI-000068, CCI-000803, CCI-002450, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, 1446 |
Description | To enable FIPS mode, run the following command: fips-mode-setup --enable The fips-mode-setup command will configure the system in
FIPS mode by automatically configuring the following:
|
Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
Enable Dracut FIPS Module
Rule ID | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82155-3 References: CCI-000068, CCI-000803, CCI-002450, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, SRG-OS-000478-GPOS-00223, 1446 |
Description | To enable FIPS mode, run the following command: fips-mode-setup --enableTo enable FIPS, the system requires that the fips module is added in
dracut configuration.
Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " |
Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
Install crypto-policies package
Rule ID | xccdf_org.ssgproject.content_rule_package_crypto-policies_installed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_crypto-policies_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82723-8 References: FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174 |
Description | The $ sudo yum install crypto-policies |
Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. |
package crypto-policies is installed oval:ssg-test_package_crypto-policies_installed:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
crypto-policies | noarch | (none) | 1.git51d1222.el8 | 20200713 | 0:20200713-1.git51d1222.el8 | 199e2f91fd431d51 | crypto-policies-0:20200713-1.git51d1222.el8.noarch |
Configure session renegotiation for SSH client
Rule ID | xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-ssh_client_rekey_limit:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82880-6 References: FCS_SSHS_EXT.1, SRG-OS-000423-GPOS-00187 |
Description | The |
Rationale | By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited. |
tests the value of RekeyLimit setting in /etc/ssh/ssh_config file oval:ssg-test_ssh_client_rekey_limit_main_config:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ssh_client_rekey_limit_main_config:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/ssh/ssh_config | ^[\s]*RekeyLimit.*$ | 1 |
tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf oval:ssg-test_ssh_client_rekey_limit_include_configs:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ssh_client_rekey_limit_include_configs:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance | |||
---|---|---|---|---|---|
| ^/etc/ssh/ssh_config\.d/.*\.conf$ | 1 |
Configure System Cryptography Policy
Rule ID | xccdf_org.ssgproject.content_rule_configure_crypto_policy |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-configure_crypto_policy:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80935-0 References: AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, 1.10, 1.11, 1446 |
Description | To configure the system cryptography policy to use ciphers only from the $ sudo update-crypto-policies --set FIPS:OSPPThe rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. |
Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. |
Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
check for crypto policy correctly configured in /etc/crypto-policies/config oval:ssg-test_configure_crypto_policy:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/crypto-policies/config | FIPS:OSPP |
check for crypto policy correctly configured in /etc/crypto-policies/state/current oval:ssg-test_configure_crypto_policy_current:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/crypto-policies/state/current | FIPS:OSPP |
Check if update-crypto-policies has been run oval:ssg-test_crypto_policies_updated:tst:1 true
Following items have been found on the system:
Var ref | Value |
---|---|
oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1612713248 |
Check if /etc/crypto-policies/back-ends/nss.config exists oval:ssg-test_crypto_policy_nss_config:tst:1 true
Following items have been found on the system:
Path | Type | UID | GID | Size (B) | Permissions |
---|---|---|---|---|---|
/etc/crypto-policies/back-ends/nss.config | regular | 0 | 0 | 338 | rw-r--r-- |
Configure Libreswan to use System Crypto Policy
Rule ID | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-configure_libreswan_crypto_policy:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80937-6 References: CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000033-GPOS-00014, FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6 |
Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Libreswan is supported by system crypto policy, but the Libreswan configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the |
Rationale | Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented. |
package libreswan is installed oval:ssg-test_package_libreswan_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreswan_installed:obj:1 of type rpminfo_object
Name |
---|
libreswan |
Check that the libreswan configuration includes the crypto policy config file oval:ssg-test_configure_libreswan_crypto_policy:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_libreswan_crypto_policy:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/ipsec.conf | ^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$ | 1 |
OpenSSL uses strong entropy source
Rule ID | xccdf_org.ssgproject.content_rule_openssl_use_strong_entropy |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-openssl_use_strong_entropy:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82721-2 References: FCS_RBG_EXT.1.2, SRG-OS-000480-GPOS-00227, 1277, 1552 |
Description | By default, OpenSSL doesn't always use a SP800-90A compliant random number generator.
A way to configure OpenSSL to always use a strong source is to setup a wrapper that
defines a shell function that shadows the actual # provide a default -rand /dev/random option to openssl commands that # support it # written inefficiently for maximum shell compatibility openssl() ( openssl_bin=/usr/bin/openssl case "$*" in # if user specified -rand, honor it *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; esac cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` for i in `$openssl_bin list -commands`; do if $openssl_bin list -options "$i" | grep -q '^rand '; then cmds=" $i $cmds" fi done case "$cmds" in *\ "$1"\ *) cmd="$1"; shift exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; esac exec $openssl_bin "$@" ) |
Rationale | This rule ensures that |
Warnings | warning
This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available. |
Test if openssl is configured to generate random data with strong entropy oval:ssg-test_openssl_strong_entropy:tst:1 true
Following items have been found on the system:
Filepath | Path | Filename | Hash type | Hash |
---|---|---|---|---|
/etc/profile.d/openssl-rand.sh | /etc/profile.d | openssl-rand.sh | SHA-256 | 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af |
Configure SSH to use System Crypto Policy
Rule ID | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-configure_ssh_crypto_policy:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80939-2 References: AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, 5.2.20, SRG-OS-000250-GPOS-00093 |
Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the |
Rationale | Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented. |
Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_ssh_crypto_policy:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/sysconfig/sshd | ^\s*CRYPTO_POLICY\s*=.*$ | 1 |
Configure Kerberos to use System Crypto Policy
Rule ID | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-configure_kerberos_crypto_policy:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80936-8 References: SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, 0418, 1055, 1402 |
Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, kerberos is configured to use the system-wide crypto policy settings. |
Rationale | Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented. |
Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1 error
Following items have been found on the system:
Var ref | Value |
---|---|
oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /etc/crypto-policies/back-ends/krb5.config |
Check if kerberos configuration symlink links to the crypto-policy backend file oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1 true
Following items have been found on the system:
Var ref | Value |
---|---|
oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /etc/crypto-policies/back-ends/krb5.config |
Configure OpenSSL library to use System Crypto Policy
Rule ID | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-configure_openssl_crypto_policy:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80938-4 References: AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093 |
Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under |
Rationale | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented. |
Check that the configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_openssl_crypto_policy:tst:1 true
Following items have been found on the system:
Path | Content |
---|---|
/etc/pki/tls/openssl.cnf | [ crypto_policy ] .include /etc/crypto-policies/back-ends/opensslcnf.config |
Configure BIND to use System Crypto Policy
Rule ID | xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-configure_bind_crypto_policy:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80934-3 References: SC-13, SC-12(2), SC-12(3), SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190 |
Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
BIND is supported by crypto policy, but the BIND configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the |
Rationale | Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented. |
package bind is removed oval:ssg-test_package_bind_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_bind_removed:obj:1 of type rpminfo_object
Name |
---|
bind |
Check that the configuration includes the policy config file. oval:ssg-test_configure_bind_crypto_policy:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_bind_crypto_policy:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/named.conf | ^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$ | 1 |
The Installed Operating System Is Vendor Supported
Rule ID | xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-installed_OS_is_vendor_supported:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80947-5 References: CCI-000366, CM-6(a), MA-6, SA-13(a), ID.RA-1, PR.IP-12, SRG-OS-000480-GPOS-00227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, 18, 20, 4, RHEL-08-010000, SV-230221r599732_rule |
Description | The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches. |
Rationale | An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. |
Warnings | warning
There is no remediation besides switching to a different operating system. |
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name |
---|
redhat-release-client |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name |
---|
redhat-release-client |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name |
---|
redhat-release-workstation |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name |
---|
redhat-release-workstation |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name |
---|
redhat-release-server |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name |
---|
redhat-release-server |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name |
---|
redhat-release-computenode |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name |
---|
redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name |
---|
redhat-release-client |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
Name |
---|
redhat-release-client |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name |
---|
redhat-release-workstation |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
Name |
---|
redhat-release-workstation |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name |
---|
redhat-release-server |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
Name |
---|
redhat-release-server |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name |
---|
redhat-release-computenode |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
Name |
---|
redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
redhat-release | x86_64 | (none) | 1.0.el8 | 8.3 | 0:8.3-1.0.el8 | 199e2f91fd431d51 | redhat-release-0:8.3-1.0.el8.x86_64 |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
redhat-release | x86_64 | (none) | 1.0.el8 | 8.3 | 0:8.3-1.0.el8 | 199e2f91fd431d51 | redhat-release-0:8.3-1.0.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
redhat-release | x86_64 | (none) | 1.0.el8 | 8.3 | 0:8.3-1.0.el8 | 199e2f91fd431d51 | redhat-release-0:8.3-1.0.el8.x86_64 |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
redhat-release | x86_64 | (none) | 1.0.el8 | 8.3 | 0:8.3-1.0.el8 | 199e2f91fd431d51 | redhat-release-0:8.3-1.0.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name |
---|
oraclelinux-release |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name |
---|
oraclelinux-release |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name |
---|
oraclelinux-release |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
Name |
---|
oraclelinux-release |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name |
---|
oraclelinux-release |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name |
---|
oraclelinux-release |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name |
---|
oraclelinux-release |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
Name |
---|
oraclelinux-release |
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name |
---|
sled-release |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name |
---|
sled-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name |
---|
sles-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name |
---|
sles-release |
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name |
---|
sled-release |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
Name |
---|
sled-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name |
---|
sles-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
Name |
---|
sles-release |
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name |
---|
sled-release |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name |
---|
sled-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name |
---|
sles-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name |
---|
sles-release |
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name |
---|
sled-release |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
Name |
---|
sled-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name |
---|
sles-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
Name |
---|
sles-release |
Ensure /home Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-81044-0 References: BP28(R12), 1.1.13, CCI-000366, CCI-001208, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8 |
Description | If user home directories will be stored locally, create a separate partition
for |
Rationale | Ensuring that |
Encrypt Partitions
Rule ID | xccdf_org.ssgproject.content_rule_encrypt_partitions |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80789-1 References: 3.13.16, CCI-001199, CCI-002475, CCI-002476, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000404-VMM-001650, SRG-OS-000405-VMM-001660, SR 3.4, SR 4.1, SR 5.2, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 13, 14 |
Description | Red Hat Enterprise Linux 8 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASEAny PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
By default, the Anaconda installer uses aes-xts-plain64 cipher
with a minimum 512 bit key size which should be compatible with FIPS enabled.
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 8 Documentation web site: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html. |
Rationale | The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. |
Ensure /var/log/audit Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-80854-3 References: 1.1.12, CCI-000366, CCI-001849, 164.312(a)(2)(ii), A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8 |
Description | Audit logs are stored in the |
Rationale | Placing |
Ensure /var Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-80852-7 References: BP28(R12), 1.1.6, CCI-000366, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8 |
Description | The |
Rationale | Ensuring that |
Ensure /var/log Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80853-5 References: BP28(R12), BP28(R47), 1.1.11, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, 1, 12, 14, 15, 16, 3, 5, 6, 8, SRG-OS-000480-GPOS-00227 |
Description | System logs are stored in the |
Rationale | Placing |
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
Rule ID | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-81003-6 References: SRG-OS-000480-GPOS-00227 |
Description | By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf updatecommand. |
Rationale | Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them. |
Install sudo Package
Rule ID | xccdf_org.ssgproject.content_rule_package_sudo_installed |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_sudo_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82214-8 References: CM-6(a), SRG-OS-000324-GPOS-00125, 1.3.1, 1382, 1384, 1386 |
Description | The $ sudo yum install sudo |
Rationale |
|
package sudo is installed oval:ssg-test_package_sudo_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_sudo_installed:obj:1 of type rpminfo_object
Name |
---|
sudo |
Install dnf-automatic Package
Rule ID | xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_dnf-automatic_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82985-3 References: SRG-OS-000191-GPOS-00080 |
Description | The $ sudo yum install dnf-automatic |
Rationale |
|
package dnf-automatic is installed oval:ssg-test_package_dnf-automatic_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_dnf-automatic_installed:obj:1 of type rpminfo_object
Name |
---|
dnf-automatic |
Ensure gpgcheck Enabled In Main yum Configuration
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80790-9 References: 1.2.4, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, 11, 2, 3, 9, BP28(R15) |
Description | The gpgcheck=1 |
Rationale | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
|
Ensure gpgcheck Enabled for Local Packages
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80791-7 References: 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9, BP28(R15) |
Description |
|
Rationale | Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
|
Enable dnf-automatic Timer
Rule ID | xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-timer_dnf-automatic_enabled:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82360-9 References: FMT_SMF_EXT.1, SI-2(5), CM-6(a), SI-2(c), SRG-OS-000191-GPOS-00080 |
Description |
The $ sudo systemctl enable dnf-automatic.timer |
Rationale | The |
package dnf-automatic is installed oval:ssg-test_package_dnf-automatic_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_dnf-automatic_installed:obj:1 of type rpminfo_object
Name |
---|
dnf-automatic |
Test that the dnf-automatic timer is running oval:ssg-test_timer_running_dnf-automatic:tst:1 unknown
No items have been found conforming to the following objects:
Object oval:ssg-obj_timer_running_dnf-automatic:obj:1 of type systemdunitproperty_object
Unit | Property |
---|---|
dnf-automatic\.timer | ActiveState |
systemd test oval:ssg-test_multi_user_wants_dnf-automatic:tst:1 unknown
No items have been found conforming to the following objects:
Object oval:ssg-object_multi_user_target_for_dnf-automatic_enabled:obj:1 of type systemdunitdependency_object
Unit |
---|
multi-user.target |
Configure dnf-automatic to Install Available Updates Automatically
Rule ID | xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dnf-automatic_apply_updates:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82494-6 References: FMT_SMF_EXT.1, SI-2(5), CM-6(a), SI-2(c), SRG-OS-000191-GPOS-00080, 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495 |
Description | To ensure that the packages comprising the available updates will be automatically installed by |
Rationale | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner. |
tests the value of apply_updates setting in the /etc/dnf/automatic.conf file oval:ssg-test_dnf-automatic_apply_updates:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_dnf-automatic_apply_updates:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/dnf/automatic.conf | ^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*apply_updates[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_apply_updates oval:ssg-test_dnf-automatic_apply_updates_config_file_exists:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_dnf-automatic_apply_updates_config_file:obj:1 of type file_object
Filepath |
---|
^/etc/dnf/automatic.conf |
Ensure Red Hat GPG Key Installed
Rule ID | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-ensure_redhat_gpgkey_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80795-8 References: SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.3, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, 11, 2, 3, 9, BP28(R15) |
Description | To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom , use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEYAlternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release |
Rationale | Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
redhat-release | x86_64 | (none) | 1.0.el8 | 8.3 | 0:8.3-1.0.el8 | 199e2f91fd431d51 | redhat-release-0:8.3-1.0.el8.x86_64 |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
redhat-release | x86_64 | (none) | 1.0.el8 | 8.3 | 0:8.3-1.0.el8 | 199e2f91fd431d51 | redhat-release-0:8.3-1.0.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
redhat-release | x86_64 | (none) | 1.0.el8 | 8.3 | 0:8.3-1.0.el8 | 199e2f91fd431d51 | redhat-release-0:8.3-1.0.el8.x86_64 |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
redhat-release | x86_64 | (none) | 1.0.el8 | 8.3 | 0:8.3-1.0.el8 | 199e2f91fd431d51 | redhat-release-0:8.3-1.0.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
Name |
---|
redhat-release-virtualization-host |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
Red Hat release key package is installed oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
gpg-pubkey | (none) | (none) | 5b32db75 | d4082792 | 0:d4082792-5b32db75 | 0 | gpg-pubkey-0:d4082792-5b32db75.(none) |
Red Hat auxiliary key package is installed oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1 true
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
gpg-pubkey | (none) | (none) | 5b32db75 | d4082792 | 0:d4082792-5b32db75 | 0 | gpg-pubkey-0:d4082792-5b32db75.(none) |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
Check os-release ID oval:ssg-test_centos8_name:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/os-release | ^ID="(\w+)"$ | 1 |
Check os-release ID oval:ssg-test_centos8_name:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/os-release | ID="rhel" |
Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
Family |
---|
unix |
Check os-release ID oval:ssg-test_centos8_name:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/os-release | ^ID="(\w+)"$ | 1 |
Check os-release ID oval:ssg-test_centos8_name:tst:1 false
Following items have been found on the system:
Path | Content |
---|---|
/etc/os-release | ID="rhel" |
Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
CentOS8 key package is installed oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1 false
Following items have been found on the system:
Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
---|---|---|---|---|---|---|---|
gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
gpg-pubkey | (none) | (none) | 5b32db75 | d4082792 | 0:d4082792-5b32db75 | 0 | gpg-pubkey-0:d4082792-5b32db75.(none) |
Ensure yum Removes Previous Package Versions
Rule ID | xccdf_org.ssgproject.content_rule_clean_components_post_updating |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82476-3 References: 3.4.8, CCI-002617, SI-2(6), CM-11(a), CM-11(b), CM-6(a), ID.RA-1, PR.IP-12, SRG-OS-000437-GPOS-00194, SRG-OS-000437-VMM-001760, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, 18, 20, 4 |
Description |
|
Rationale | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. |
Configure dnf-automatic to Install Only Security Updates
Rule ID | xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-dnf-automatic_security_updates_only:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82267-6 References: FMT_SMF_EXT.1, SI-2(5), CM-6(a), SI-2(c), SRG-OS-000191-GPOS-00080 |
Description | To configure |
Rationale | By default, |
tests the value of upgrade_type setting in the /etc/dnf/automatic.conf file oval:ssg-test_dnf-automatic_security_updates_only:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_dnf-automatic_security_updates_only:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/dnf/automatic.conf | ^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*upgrade_type[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_dnf-automatic_security_updates_only_config_file:obj:1 of type file_object
Filepath |
---|
^/etc/dnf/automatic.conf |
Ensure gpgcheck Enabled for All yum Package Repositories
Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-ensure_gpgcheck_never_disabled:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80792-5 References: SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 5.10.4.1, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, 11, 2, 3, 9, BP28(R15) |
Description | To ensure signature checking is not disabled for
any repos, remove any lines from files in gpgcheck=0 |
Rationale | Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." |
check for existence of gpgcheck=0 in /etc/yum.repos.d/ files oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type textfilecontent54_object
Path | Filename | Pattern | Instance |
---|---|---|---|
/etc/yum.repos.d | .* | ^\s*gpgcheck\s*=\s*0\s*$ | 1 |
Install dnf-plugin-subscription-manager Package
Rule ID | xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_dnf-plugin-subscription-manager_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82315-3 References: FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495 |
Description | The $ sudo yum install dnf-plugin-subscription-manager |
Rationale | This package provides plugins to interact with repositories and subscriptions from the Red Hat entitlement platform; contains subscription-manager and product-id plugins. |
package dnf-plugin-subscription-manager is installed oval:ssg-test_package_dnf-plugin-subscription-manager_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_dnf-plugin-subscription-manager_installed:obj:1 of type rpminfo_object
Name |
---|
dnf-plugin-subscription-manager |
Ensure gnutls-utils is installed
Rule ID | xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_gnutls-utils_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82395-5 References: FIA_X509_EXT, SRG-OS-000480-GPOS-00227 |
Description | The $ sudo yum install gnutls-utils |
Rationale | GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools. |
package gnutls-utils is installed oval:ssg-test_package_gnutls-utils_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gnutls-utils_installed:obj:1 of type rpminfo_object
Name |
---|
gnutls-utils |
Install libcap-ng-utils Package
Rule ID | xccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_libcap-ng-utils_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82979-6 References: SRG-OS-000445-GPOS-00199 |
Description | The $ sudo yum install libcap-ng-utils |
Rationale |
|
package libcap-ng-utils is installed oval:ssg-test_package_libcap-ng-utils_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libcap-ng-utils_installed:obj:1 of type rpminfo_object
Name |
---|
libcap-ng-utils |
Install openscap-scanner Package
Rule ID | xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_openscap-scanner_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82220-5 References: SRG-OS-000480-GPOS-00227, SRG-OS-000191-GPOS-00080 |
Description | The $ sudo yum install openscap-scanner |
Rationale |
|
package openscap-scanner is installed oval:ssg-test_package_openscap-scanner_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_openscap-scanner_installed:obj:1 of type rpminfo_object
Name |
---|
openscap-scanner |
Install scap-security-guide Package
Rule ID | xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_scap-security-guide_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82949-9 References: SRG-OS-000480-GPOS-00227 |
Description | The $ sudo yum install scap-security-guide |
Rationale | The |
package scap-security-guide is installed oval:ssg-test_package_scap-security-guide_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_scap-security-guide_installed:obj:1 of type rpminfo_object
Name |
---|
scap-security-guide |
Install subscription-manager Package
Rule ID | xccdf_org.ssgproject.content_rule_package_subscription-manager_installed |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_subscription-manager_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82316-1 References: SRG-OS-000366-GPOS-00153, FPT_TUD_EXT.1, FPT_TUD_EXT.2, 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495 |
Description | The $ sudo yum install subscription-manager |
Rationale | Red Hat Subscription Manager is a local service which tracks installed products and subscriptions on a local system to help manage subscription assignments. It communicates with the backend subscription service (the Customer Portal or an on-premise server such as Subscription Asset Manager) and works with content management tools such as yum. |
package subscription-manager is installed oval:ssg-test_package_subscription-manager_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_subscription-manager_installed:obj:1 of type rpminfo_object
Name |
---|
subscription-manager |
Uninstall abrt-addon-ccpp Package
Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_abrt-addon-ccpp_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82919-2 References: SRG-OS-000095-GPOS-00049 |
Description | The $ sudo yum erase abrt-addon-ccpp |
Rationale |
|
package abrt-addon-ccpp is removed oval:ssg-test_package_abrt-addon-ccpp_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-ccpp_removed:obj:1 of type rpminfo_object
Name |
---|
abrt-addon-ccpp |
Uninstall abrt-addon-kerneloops Package
Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_abrt-addon-kerneloops_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82926-7 References: SRG-OS-000095-GPOS-00049 |
Description | The $ sudo yum erase abrt-addon-kerneloops |
Rationale |
|
package abrt-addon-kerneloops is removed oval:ssg-test_package_abrt-addon-kerneloops_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-kerneloops_removed:obj:1 of type rpminfo_object
Name |
---|
abrt-addon-kerneloops |
Uninstall abrt-addon-python Package
Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_abrt-addon-python_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82923-4 References: SRG-OS-000095-GPOS-00049 |
Description | The $ sudo yum erase abrt-addon-python |
Rationale |
|
package abrt-addon-python is removed oval:ssg-test_package_abrt-addon-python_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-python_removed:obj:1 of type rpminfo_object
Name |
---|
abrt-addon-python |
Uninstall abrt-cli Package
Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-cli_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_abrt-cli_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82907-7 References: SRG-OS-000095-GPOS-00049 |
Description | The $ sudo yum erase abrt-cli |
Rationale |
|
package abrt-cli is removed oval:ssg-test_package_abrt-cli_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-cli_removed:obj:1 of type rpminfo_object
Name |
---|
abrt-cli |
Uninstall abrt-plugin-logger Package
Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_abrt-plugin-logger_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82913-5 References: SRG-OS-000095-GPOS-00049 |
Description | The $ sudo yum erase abrt-plugin-logger |
Rationale |
|
package abrt-plugin-logger is removed oval:ssg-test_package_abrt-plugin-logger_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-logger_removed:obj:1 of type rpminfo_object
Name |
---|
abrt-plugin-logger |
Uninstall abrt-plugin-rhtsupport Package
Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_abrt-plugin-rhtsupport_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82916-8 References: SRG-OS-000095-GPOS-00049 |
Description | The $ sudo yum erase abrt-plugin-rhtsupport |
Rationale |
|
package abrt-plugin-rhtsupport is removed oval:ssg-test_package_abrt-plugin-rhtsupport_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-rhtsupport_removed:obj:1 of type rpminfo_object
Name |
---|
abrt-plugin-rhtsupport |
Uninstall abrt-plugin-sosreport Package
Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_abrt-plugin-sosreport_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82910-1 References: SRG-OS-000095-GPOS-00049 |
Description | The $ sudo yum erase abrt-plugin-sosreport |
Rationale |
|
package abrt-plugin-sosreport is removed oval:ssg-test_package_abrt-plugin-sosreport_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-sosreport_removed:obj:1 of type rpminfo_object
Name |
---|
abrt-plugin-sosreport |
Uninstall gssproxy Package
Rule ID | xccdf_org.ssgproject.content_rule_package_gssproxy_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_gssproxy_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82943-2 References: SRG-OS-000095-GPOS-00049 |
Description | The $ sudo yum erase gssproxy |
Rationale |
|
package gssproxy is removed oval:ssg-test_package_gssproxy_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gssproxy_removed:obj:1 of type rpminfo_object
Name |
---|
gssproxy |
Uninstall iprutils Package
Rule ID | xccdf_org.ssgproject.content_rule_package_iprutils_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_iprutils_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82946-5 References: SRG-OS-000095-GPOS-00049 |
Description | The $ sudo yum erase iprutils |
Rationale |
|
package iprutils is removed oval:ssg-test_package_iprutils_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_iprutils_removed:obj:1 of type rpminfo_object
Name |
---|
iprutils |
Uninstall krb5-workstation Package
Rule ID | xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_krb5-workstation_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82931-7 References: SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061 |
Description | The $ sudo yum erase krb5-workstation |
Rationale | Kerberos is a network authentication system. The |
package krb5-workstation is removed oval:ssg-test_package_krb5-workstation_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_krb5-workstation_removed:obj:1 of type rpminfo_object
Name |
---|
krb5-workstation |
Set Lockout Time for Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80670-3 References: 5.3.2, 5.5.3, 3.1.8, CCI-000044, CCI-002238, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000329-VMM-001180, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using
unlock_time is set to 0 , manual intervention by an administrator is required to unlock a user. |
Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. |
Set Deny For Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80667-9 References: 5.3.2, 5.5.3, 3.1.8, CCI-000044, CCI-002238, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | To configure the system to lock out accounts after a number of incorrect login
attempts using
|
Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. |
Set Interval For Counting Failed Password Attempts
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80669-5 References: CCI-000044, CCI-002238, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | Utilizing
|
Rationale | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. |
Enforce pam_faillock for Local Accounts Only
Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83401-0 References: CCI-000015, AC-2(1), SRG-OS-000001-GPOS-00001 |
Description | The pam_faillock module's |
Rationale | The operating system must provide automated mechanisms for supporting account management functions. Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. |
Warnings | warning
Using this rule bypasses pam_faillock's functionality and should be used in cases
where centralized management such as LDAP or Active Directory is in use. |
Limit Password Reuse
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80666-1 References: 5.3.3, 5.6.2.1.1, 3.5.8, CCI-000200, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, SRG-OS-000077-VMM-000440, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5 |
Description | Do not allow users to reuse recent passwords. This can be
accomplished by using the
|
Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
Set Password Maximum Consecutive Repeating Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82066-2 References: CCI-000195, IA-5(c), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5 |
Description | The pam_pwquality module's |
Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
|
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81034-1 References: CCI-000195, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5 |
Description | The pam_pwquality module's |
Rationale | Use of a complex password helps to increase the time and resources required to comrpomise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
|
Ensure PAM Enforces Password Requirements - Minimum Length
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80656-2 References: 6.3.2, 5.6.2.1.1, CCI-000205, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, SRG-OS-000072-VMM-000390, SRG-OS-000078-VMM-000450, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | The pam_pwquality module's |
Rationale | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
|
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80665-3 References: 6.3.2, CCI-000192, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, SRG-OS-000069-VMM-000360, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | The pam_pwquality module's |
Rationale | Use of a complex password helps to increase the time and resources reuiqred to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
|
Ensure PAM Enforces Password Requirements - Minimum Different Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_difok |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80654-7 References: 5.6.2.1.1, CCI-000195, IA-5(c), IA-5(1)(b), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, SRG-OS-000072-VMM-000390, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5 |
Description | The pam_pwquality module's |
Rationale | Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.
|
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80653-9 References: 6.3.2, CCI-000194, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, SRG-OS-000071-VMM-000380, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | The pam_pwquality module's |
Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
|
Ensure PAM Enforces Password Requirements - Enforce for root User
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83377-2 References: CCI-000194, CCI-000193, CCI-001619, CCI-000205, CCI-000195, CCI-000192, CCI-000366, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), SRG-OS-000072-GPOS-00040, SRG-OS-000071-GPOS-00039, SRG-OS-000070-GPOS-00038, SRG-OS-000266-GPOS-00101, SRG-OS-000078-GPOS-00046, SRG-OS-000480-GPOS-00225, SRG-OS-000069-GPOS-00037 |
Description | The pam_pwquality module's |
Rationale | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. |
Ensure PAM Enforces Password Requirements - Minimum Special Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80663-8 References: CCI-001619, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000266-GPOS-00101, SRG-OS-000266-VMM-000940, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | The pam_pwquality module's |
Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
|
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80655-4 References: CCI-000193, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000070-GPOS-00038, SRG-OS-000070-VMM-000370, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | The pam_pwquality module's |
Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
|
Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83364-0 References: CCI-000015, AC-2(1), SRG-OS-000001-GPOS-00001 |
Description | The pam_pwquality module's |
Rationale | The operating system must provide automated mechanisms for supporting account management functions. Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. |
Warnings | warning
Using this rule bypasses pam_faillock's functionality and should be used in cases
where centralized management such as LDAP or Active Directory is in use. |
Configure Smart Card Certificate Status Checking
Rule ID | xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82475-5 References: CCI-001948, CCI-001953, CCI-001954, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162, SRG-OS-000384-GPOS-00167 |
Description | Configure the operating system to do certificate status checking for PKI
authentication. Modify all of the cert_policy = ca, ocsp_on, signature; |
Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
|
Install the tmux Package
Rule ID | xccdf_org.ssgproject.content_rule_package_tmux_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80644-8 References: 3.1.10, CCI-000058, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000030-GPOS-00011, SRG-OS-000030-VMM-000110, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16 |
Description | To enable console screen locking, install the $ sudo yum install tmuxInstruct users to begin new terminal sessions with the following command: $ tmuxThe console can now be locked with the following key combination: ctrl+b :lock-session |
Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
|
Configure tmux to lock session after inactivity
Rule ID | xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82199-1 References: FMT_SMF_EXT.1, SRG-OS-000029-GPOS-00010 |
Description | To enable console screen locking in |
Rationale | Locking the session after a period of inactivity limits the potential exposure if the session is left unattended. |
Configure the tmux Lock Command
Rule ID | xccdf_org.ssgproject.content_rule_configure_tmux_lock_command |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80940-0 References: CCI-000056, CCI-000058, AC-11(a), AC-11(b), CM-6(a), SRG-OS-000028-VMM-000090, SRG-OS-000030-VMM-000110, SRG-OS-000028-GPOS-00009 |
Description | To enable console screen locking in set -g lock-command vlock. The console can now be locked with the following key combination: ctrl+b :lock-session |
Rationale | The |
Support session locking with tmux
Rule ID | xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82266-8 References: FMT_SMF_EXT.1, SRG-OS-000031-GPOS-00012 |
Description | The |
Rationale | Unlike |
Prevent user from disabling the screen lock
Rule ID | xccdf_org.ssgproject.content_rule_no_tmux_in_shells |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82361-7 References: FMT_SMF_EXT.1, SRG-OS-000324-GPOS-00125 |
Description | The |
Rationale | Not listing |
Disable debug-shell SystemD Service
Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80876-6 References: 3.4.5, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), FIA_UAU.1, SRG-OS-000324-GPOS-00125 |
Description | SystemD's $ sudo systemctl mask --now debug-shell.service |
Rationale | This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. |
Require Authentication for Single User Mode
Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80855-0 References: 1.5.3, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 11, 12, 14, 15, 16, 18, 3, 5, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
|
Rationale | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
Disable Ctrl-Alt-Del Reboot Activation
Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80785-9 References: 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 |
Description | By default, ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.targetor systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates. |
Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
Disable Ctrl-Alt-Del Burst Action
Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80784-2 References: 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000324-GPOS-00125, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 |
Description | By default, CtrlAltDelBurstAction=none |
Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3 . |
Verify that Interactive Boot is Disabled
Rule ID | xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80826-1 References: 3.1.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), SC-2(1), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 11, 12, 14, 15, 16, 18, 3, 5, SRG-OS-000480-GPOS-00227 |
Description | Red Hat Enterprise Linux 8 systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Enterprise Linux 8
system, interactive boot can be enabled by providing a systemd.confirm_spawn=(1|yes|true|on)from the kernel arguments in that file to disable interactive boot. It is also required to change the runtime configuration, run: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" |
Rationale | Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. |
Enforce usage of pam_wheel for su authentication
Rule ID | xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-use_pam_wheel_for_su:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83318-6 References: FMT_SMF_EXT.1.1, SRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123 |
Description | To ensure that only users who are members of the auth required pam_wheel.so use_uid |
Rationale | The |
check /etc/pam.d/su for correct setting oval:ssg-test_use_pam_wheel_for_su:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_use_pam_wheel_for_su:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/pam.d/su | ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ | 1 |
Restrict Virtual Console Root Logins
Rule ID | xccdf_org.ssgproject.content_rule_securetty_root_login_console_only |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-securetty_root_login_console_only:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80864-2 References: 3.1.1, 3.1.5, CCI-000770, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-6, CM-6(a), PR.AC-4, PR.DS-5, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5, 5.6, SRG-OS-000324-GPOS-00125 |
Description | To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in vc/1 vc/2 vc/3 vc/4 |
Rationale | Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. |
virtual consoles /etc/securetty oval:ssg-test_virtual_consoles_etc_securetty:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_virtual_consoles_etc_securetty:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/securetty | ^vc/[0-9]+$ | 1 |
Prevent Login to Accounts With Empty Password
Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-no_empty_passwords:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80841-0 References: 5.5.2, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5 |
Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
|
Rationale | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. |
make sure nullok is not used in /etc/pam.d/system-auth oval:ssg-test_no_empty_passwords:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_empty_passwords:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/pam.d/system-auth | ^[^#]*\bnullok\b.*$ | 1 |
Set Existing Passwords Minimum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing |
Result | notchecked |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82472-2 References: IA-5(f), IA-5(1)(d), CM-6(a), CCI-000198, SRG-OS-000075-GPOS-00043, SRG-OS-000075-VMM000420 |
Description | Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: $ sudo chage -m 1 USER |
Rationale | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. |
Set Existing Passwords Maximum Age
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing |
Result | notchecked |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82473-0 References: IA-5(f), IA-5(1)(d), CM-6(a), CCI-000199, SRG-OS-000076-GPOS-00044, SRG-OS-000076-VMM-000430 |
Description | Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: $ sudo chage -M 60 USER |
Rationale | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. |
Set Password Minimum Length in login.defs
Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80652-1 References: 5.6.2.1, 3.5.7, IA-5(f), IA-5(1)(a), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5, SRG-OS-000078-GPOS-00046, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | To specify password length requirements for new accounts, edit the file
PASS_MIN_LEN 12 The DoD requirement is 15 .
The FISMA requirement is 12 .
The profile requirement is
12 .
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality ) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
information about enforcing password quality requirements. |
Rationale | Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. |
Assign Expiration Date to Temporary Accounts
Rule ID | xccdf_org.ssgproject.content_rule_account_temp_expire_date |
Result | notchecked |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82474-8 References: CCI-000016, CCI-001682, AC-2(2), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000123-GPOS-00064, SRG-OS-000002-GPOS-00002, SRG-OS-000002-VMM-000020, SRG-OS-000123-VMM-000620, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 |
Description | Temporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary or emergency accounts are required, configure the system to
terminate them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on
it, substituting $ sudo chage -E YYYY-MM-DD USER YYYY-MM-DD indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours. |
Rationale | If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
|
Set Account Expiration Following Inactivity
Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80954-1 References: 5.6.2.1.1, 3.5.6, CCI-000017, CCI-000795, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, SRG-OS-000003-VMM-000030, SRG-OS-000118-VMM-000590, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 |
Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in INACTIVE=35If a password is currently on the verge of expiration, then 35
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus 35 day(s) could
elapse until the account would be automatically disabled. See the
useradd man page for more information. |
Rationale | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. |
Ensure the Default C Shell Umask is Set Correctly
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_umask_etc_csh_cshrc:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81037-4 References: CCI-000366, AC-6(1), CM-6(a), PR.IP-2, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, 18, SRG-OS-000480-GPOS-00228 |
Description | To ensure the default umask for users of the C shell is set properly,
add or correct the umask 027 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
Var ref | Value |
---|---|
oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 23 |
Test the retrieved /etc/csh.cshrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1 true
Following items have been found on the system:
Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
---|---|---|---|---|---|---|---|---|
oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
Ensure the Default Bash Umask is Set Correctly
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_umask_etc_bashrc:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81036-6 References: 5.4.4, CCI-000366, AC-6(1), CM-6(a), PR.IP-2, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, 18, SRG-OS-000480-GPOS-00228 |
Description | To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask 027 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
Var ref | Value |
---|---|
oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 23 |
Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_bashrc:tst:1 true
Following items have been found on the system:
Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
---|---|---|---|---|---|---|---|---|
oval:ssg-var_etc_bashrc_umask_as_number:var:1 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
Ensure the Default Umask is Set Correctly in /etc/profile
Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-accounts_umask_etc_profile:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81035-8 References: 5.4.4, CCI-000366, AC-6(1), CM-6(a), PR.IP-2, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, 18, BP28(R35), SRG-OS-000480-GPOS-00228 |
Description | To ensure the default umask controlled by umask 027 |
Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
Var ref | Value |
---|---|
oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 23 |
Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_profile:tst:1 true
Following items have been found on the system:
Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
---|---|---|---|---|---|---|---|---|
oval:ssg-var_etc_profile_umask_as_number:var:1 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
Limit the Number of Concurrent Login Sessions Allowed Per User
Rule ID | xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-80955-8 References: 5.5.2.2, CCI-000054, AC-10, CM-6(a), PR.AC-5, SRG-OS-000027-GPOS-00008, SRG-OS-000027-VMM-000080, SR 3.1, SR 3.8, 4.3.3.4, DSS01.05, DSS05.02, A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3, 14, 15, 18, 9 |
Description | Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in * hard maxlogins 10 |
Rationale | Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. |
Configure auditing of unsuccessful file modifications
Rule ID | xccdf_org.ssgproject.content_rule_audit_modify_failed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82830-1 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205 |
Description | Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above: ## Unsuccessful file modifications (open for write or truncate) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modificationThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions. |
Configure auditing of unsuccessful file creations
Rule ID | xccdf_org.ssgproject.content_rule_audit_create_failed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82374-0 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205 |
Description | Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above: ## Unsuccessful file creation (open with O_CREAT) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-createThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. |
Configure auditing of unsuccessful permission changes
Rule ID | xccdf_org.ssgproject.content_rule_audit_perm_change_failed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82837-6 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033 |
Description | Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above: ## Unsuccessful permission change -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-changeThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities. |
Configure auditing of successful file accesses
Rule ID | xccdf_org.ssgproject.content_rule_audit_access_success |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82834-3 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205, 0582, 0584, 05885, 0586, 0846, 0957 |
Description | Ensure that successful attempts to access a file are audited. The following rules configure audit as described above: ## Successful file access (any other opens) This has to go last. ## These next two are likely to result in a whole lot of events -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access -a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-accessThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Auditing of successful attempts to access a file helps in investigation of activities performed on the system. |
Configure auditing of unsuccessful file deletions
Rule ID | xccdf_org.ssgproject.content_rule_audit_delete_failed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82835-0 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SRG-OS-000467-GPOS-00211 |
Description | Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above: ## Unsuccessful file delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-deleteThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. |
Configure basic parameters of Audit system
Rule ID | xccdf_org.ssgproject.content_rule_audit_basic_configuration |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82827-7 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000365-GPOS-00152, SRG-OS-000475-GPOS-00220 |
Description | Perform basic configuration of Audit system. Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log. The following rules configure audit as described above: ## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## This determine how long to wait in burst of events --backlog_wait_time 60000 ## Set failure mode to syslog -f 1The Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/10-base-config.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --load |
Rationale | Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure. |
Configure auditing of unsuccessful file accesses
Rule ID | xccdf_org.ssgproject.content_rule_audit_access_failed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82833-5 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205, 0582, 0584, 05885, 0586, 0846, 0957 |
Description | Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above: ## Unsuccessful file access (any other opens) This has to go last. -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-accessLoad new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation. |
Configure auditing of successful file deletions
Rule ID | xccdf_org.ssgproject.content_rule_audit_delete_success |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82836-8 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212, SRG-OS-000467-GPOS-00211 |
Description | Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above: ## Successful file delete -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-deleteThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system. |
Configure auditing of unsuccessful ownership changes
Rule ID | xccdf_org.ssgproject.content_rule_audit_owner_change_failed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82384-9 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033 |
Description | Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above: ## Unsuccessful ownership change -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-changeThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities. |
Configure immutable Audit login UIDs
Rule ID | xccdf_org.ssgproject.content_rule_audit_immutable_login_uids |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82828-5 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220 |
Description | Configure kernel to prevent modification of login UIDs once they are set. Changing login UUIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. The following rules configure audit as described above: ## Make the loginuid immutable. This prevents tampering with the auid. --loginuid-immutableThe Audit provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/11-loginuid.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/11-loginuid.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --load |
Rationale | If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. |
Configure auditing of loading and unloading of kernel modules
Rule ID | xccdf_org.ssgproject.content_rule_audit_module_load |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82838-4 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000475-GPOS-00220 |
Description | Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above: ## These rules watch for kernel module insertion. By monitoring ## the syscall, we do not need any watches on programs. -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load -a always,exit -F arch=b32 -S delete_module -F key=module-unload -a always,exit -F arch=b64 -S delete_module -F key=module-unloadThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/43-module-load.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --load |
Rationale | Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities. |
Perform general configuration of Audit for OSPP
Rule ID | xccdf_org.ssgproject.content_rule_audit_ospp_general |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82373-2 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000004-GPOS-00004, SRG-OS-000241-GPOS-00091, SRG-OS-000476-GPOS-00221, SRG-OS-000327-GPOS-00127, SRG-OS-000475-GPOS-00220, SRG-OS-000239-GPOS-00089, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121 |
Description | Configure some basic ## The purpose of these rules is to meet the requirements for Operating ## System Protection Profile (OSPP)v4.2. These rules depends on having ## the following rule files copied to /etc/audit/rules.d: ## ## 10-base-config.rules, 11-loginuid.rules, ## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, ## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, ## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, ## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, ## 30-ospp-v42-5-perm-change-failed.rules, ## 30-ospp-v42-5-perm-change-success.rules, ## 30-ospp-v42-6-owner-change-failed.rules, ## 30-ospp-v42-6-owner-change-success.rules ## ## original copies may be found in /usr/share/audit/sample-rules/ ## User add delete modify. This is covered by pam. However, someone could ## open a file and directly create or modify a user, so we'll watch passwd and ## shadow for writes -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ## User enable and disable. This is entirely handled by pam. ## Group add delete modify. This is covered by pam. However, someone could ## open a file and directly create or modify a user, so we'll watch group and ## gshadow for writes -a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify -a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify -a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify -a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify ## Use of special rights for config changes. This would be use of setuid ## programs that relate to user accts. This is not all setuid apps because ## requirements are only for ones that affect system configuration. -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ## Privilege escalation via su or sudo. This is entirely handled by pam. ## Audit log access -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail ## Attempts to Alter Process and Session Initiation Information -a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session -a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ## Attempts to modify MAC controls -a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy ## Software updates. This is entirely handled by rpm. ## System start and shutdown. This is entirely handled by systemd ## Kernel Module loading. This is handled in 43-module-load.rules ## Application invocation. The requirements list an optional requirement ## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to ## state results from that policy. This would be handled entirely by ## that daemon.The Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with |
Configure auditing of successful permission changes
Rule ID | xccdf_org.ssgproject.content_rule_audit_perm_change_success |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82383-1 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033 |
Description | Ensure that successful attempts to modify permissions of iles or directories are audited. The following rules configure audit as described above: ## Successful permission change -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-changeThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system. |
Configure auditing of successful file modifications
Rule ID | xccdf_org.ssgproject.content_rule_audit_modify_success |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82832-7 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205 |
Description | Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above: ## Successful file modifications (open for write or truncate) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification -a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modificationThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system. |
Configure auditing of successful ownership changes
Rule ID | xccdf_org.ssgproject.content_rule_audit_owner_change_success |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82385-6 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033 |
Description | Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above: ## Successful ownership change -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-changeThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/The file has the following SHA-256 checksum: 7eb41a6aaf6737c2571b6424fae7fa53af4b41a9115b6c5732a5778ccd9900adLoad new Audit rules into kernel by running: augenrules --loadNote: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. |
Rationale | Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system. |
Configure auditing of successful file creations
Rule ID | xccdf_org.ssgproject.content_rule_audit_create_success |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82829-3 References: FAU_GEN.1.1.c, AU-2(a), SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000461-GPOS-00205 |
Description | Ensure that successful attempts to create a file are audited. The following rules configure audit as described above: ## Successful file creation (open with O_CREAT) -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create -a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-createThe Audit package provides pre-configured rules in /usr/share/audit/sample-rules . The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules .
To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/Load new Audit rules into kernel by running: augenrules --load |
Rationale | Auditing of successful attempts to create a file helps in investigation of actions which happened on the system. |
Set hostname as computer node name in audit logs
Rule ID | xccdf_org.ssgproject.content_rule_auditd_name_format |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82897-0 References: CCI-001851, FAU_GEN.1, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
Description | To configure Audit daemon to use value returned by gethostname
syscall as computer node name in the audit events,
set |
Rationale | If option |
Write Audit Logs to the Disk
Rule ID | xccdf_org.ssgproject.content_rule_auditd_write_logs |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82366-6 References: FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227 |
Description | To configure Audit daemon to write Audit logs to the disk, set
|
Rationale | If |
Resolve information before writing to audit logs
Rule ID | xccdf_org.ssgproject.content_rule_auditd_log_format |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82201-5 References: FAU_GEN.1, SRG-OS-000255-GPOS-00096 |
Description | To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set |
Rationale | If option |
Configure auditd to use audispd's syslog plugin
Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80677-8 References: 5.4.1.1, 3.3.1, CCI-000136, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), AU-4(1), CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, SRG-OS-000051-VMM-000230, SRG-OS-000058-VMM-000270, SRG-OS-000059-VMM-000280, SRG-OS-000479-VMM-001990, SRG-OS-000479-VMM-001990, Req-10.5.3, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, SRG-OS-000479-GPOS-00224, SRG-OS-000342-GPOS-00133 |
Description | To configure the $ sudo service auditd restart |
Rationale | The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server |
Configure auditd flush priority
Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_flush |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80680-2 References: 3.3.1, CCI-001576, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), AU-11, CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, SRG-OS-000480-GPOS-00227 |
Description | The flush = incremental_async |
Rationale | Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. |
Set number of records to cause an explicit flush to audit logs
Rule ID | xccdf_org.ssgproject.content_rule_auditd_freq |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82258-5 References: FAU_GEN.1, SRG-OS-000051-GPOS-00024 |
Description | To configure Audit daemon to issue an explicit flush to disk command
after writing 50 records, set |
Rationale | If option |
Include Local Events in Audit Logs
Rule ID | xccdf_org.ssgproject.content_rule_auditd_local_events |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82233-8 References: FAU_GEN.1.1.c, SRG-OS-000062-GPOS-00031 |
Description | To configure Audit daemon to include local events in Audit logs, set
|
Rationale | If option |
Record Events that Modify User/Group Information - /etc/passwd
Install audispd-plugins Package
Rule ID | xccdf_org.ssgproject.content_rule_package_audispd-plugins_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82953-1 References: SRG-OS-000342-GPOS-00133, FMT_SMF_EXT.1 |
Description | The $ sudo yum install audispd-plugins |
Rationale |
|
Ensure the audit Subsystem is Installed
Rule ID | xccdf_org.ssgproject.content_rule_package_audit_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81043-2 References: AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), BP28(R50), SRG-OS-000480-GPOS-00227, SRG-OS-000122-GPOS-00063, 4.1.1.1 |
Description | The audit package should be installed. |
Rationale | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. |
Enable auditd Service
Enable Auditing for Processes Which Start Prior to the Audit Daemon
Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80825-3 References: 4.1.1.3, 5.4.1.1, 3.3.1, CCI-001464, CCI-000130, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, SRG-OS-000254-VMM-000880, Req-10.3, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, SRG-OS-000254-GPOS-00095 |
Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument # grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1" |
Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although |
Warnings | warning
The GRUB 2 configuration file, grub.cfg ,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Extend Audit Backlog Limit for the Audit Daemon
Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80943-4 References: SRG-OS-000254-GPOS-00095, CM-6(a), 4.1.1.4 |
Description | To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192" |
Rationale | audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken. |
Warnings | warning
The GRUB 2 configuration file, grub.cfg ,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Disable Mounting of cramfs
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-81031-7 References: 1.1.1.1, 3.4.6, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, SRG-OS-000095-GPOS-00049 |
Description |
To configure the system to prevent the install cramfs /bin/trueThis effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image. |
Rationale | Removing support for unneeded filesystem types reduces the local attack surface of the server. |
Add nosuid Option to /var/log/audit
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82921-8 References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files. |
Add nosuid Option to /var/tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82154-6 References: 1.1.9, BP28(R12), SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add nosuid Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82140-5 References: 1.1.4, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, 11, 13, 14, 3, 8, 9, BP28(R12), SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add noexec Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82139-7 References: 1.1.5, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, 11, 13, 14, 3, 8, 9, BP28(R12), SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | Allowing users to execute binaries from world-writable directories
such as |
Add nosuid Option to /boot
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81033-3 References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, BP28(R12) |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions. |
Add nodev Option to /var/tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82068-8 References: 1.1.8, BP28(R12), SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The only legitimate location for device files is the |
Add nosuid Option to /var/log
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82065-4 References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, BP28(R12) |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files. |
Add nodev Option to /boot
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_boot_nodev |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82941-6 References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The only legitimate location for device files is the |
Add nodev Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-80837-8 References: 1.1.5, CCI-001764, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, 11, 13, 14, 3, 8, 9, SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The only legitimate location for device files is the |
Add nodev Option to /tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82623-0 References: 1.1.3, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, 11, 13, 14, 3, 8, 9, BP28(R12), SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The only legitimate location for device files is the |
Add noexec Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-80838-6 References: 1.1.17, CCI-001764, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, 11, 13, 14, 3, 8, 9, SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | Allowing users to execute binaries from world-writable directories
such as |
Add nodev Option to /var/log
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82077-9 References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The only legitimate location for device files is the |
Add noexec Option to /var/log
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82008-4 References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, BP28(R12) |
Description | The |
Rationale | Allowing users to execute binaries from directories containing log files
such as |
Add noexec Option to /var/tmp
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82151-2 References: 1.1.10, BP28(R12), SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | Allowing users to execute binaries from world-writable directories
such as |
Add nosuid Option to /home
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nosuid |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81050-7 References: CCI-000366, 1.1.3, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, 11, 13, 14, 3, 8, 9, BP28(R12), SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227 |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. |
Add nodev Option to /var
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_nodev |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82062-1 References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The only legitimate location for device files is the |
Add noexec Option to /var/log/audit
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82975-4 References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | Allowing users to execute binaries from directories containing audit log files
such as |
Add nodev Option to Non-Root Local Partitions
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82069-6 References: 1.1.11, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, SRG-OS-000368-GPOS-00154, BP28(R12) |
Description | The |
Rationale | The |
Add nodev Option to /var/log/audit
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82080-3 References: CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The only legitimate location for device files is the |
Add nosuid Option to /dev/shm
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-80839-4 References: 1.1.16, CCI-001764, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, 11, 13, 14, 3, 8, 9, SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add nodev Option to /home
Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nodev |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81048-1 References: 1.1.14, BP28(R12), SRG-OS-000368-GPOS-00154 |
Description | The |
Rationale | The only legitimate location for device files is the |
Enable page allocator poisoning
Rule ID | xccdf_org.ssgproject.content_rule_grub2_page_poison_argument |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80944-2 References: SRG-OS-000480-GPOS-00227, CM-6(a) |
Description | To enable poisoning of free pages,
add the argument GRUB_CMDLINE_LINUX="page_poison=1" |
Rationale | Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. |
Warnings | warning
The GRUB 2 configuration file, grub.cfg ,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Enable SLUB/SLAB allocator poisoning
Rule ID | xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80945-9 References: SRG-OS-000433-GPOS-00192, CM-6(a) |
Description | To enable poisoning of SLUB/SLAB objects,
add the argument GRUB_CMDLINE_LINUX="slub_debug=P" |
Rationale | Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. |
Warnings | warning
The GRUB 2 configuration file, grub.cfg ,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Restrict Exposed Kernel Pointer Addresses Access
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80915-2 References: BP28(R23), SC-30, SC-30(2), SC-30(5), CM-6(a), SRG-OS-000132-GPOS-00067 |
Description | To set the runtime status of the $ sudo sysctl -w kernel.kptr_restrict=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : kernel.kptr_restrict = 1 |
Rationale | Exposing kernel pointers (through procfs or |
Disable acquiring, saving, and processing core dumps
Rule ID | xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82881-4 References: FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 |
Description | The |
Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
Disable Core Dumps for All Users
Rule ID | xccdf_org.ssgproject.content_rule_disable_users_coredumps |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81038-2 References: 1.6.1, DE.CM-1, PR.DS-4, SR 6.2, SR 7.1, SR 7.2, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, A.12.1.3, A.17.2.1, 1, 12, 13, 15, 16, 2, 7, 8, SRG-OS-000480-GPOS-00227 |
Description | To disable core dumps for all users, add the following line to
* hard core 0 |
Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
Disable core dump backtraces
Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_backtraces |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-coredump_disable_backtraces:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82251-0 References: FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, 1.6.1 |
Description | The |
Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. |
Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_backtraces:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_backtraces:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable storing core dump
Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_storage |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-coredump_disable_storage:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82252-8 References: FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, 1.6.1 |
Description | The |
Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. |
Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
tests the value of Storage setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_storage:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Restrict Access to Kernel Message Buffer
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80913-7 References: 3.1.5, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), BP28(R23), SRG-OS-000132-GPOS-00067 |
Description | To set the runtime status of the $ sudo sysctl -w kernel.dmesg_restrict=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : kernel.dmesg_restrict = 1 |
Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel address information. |
Disable Kernel Image Loading
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80952-5 References: SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w kernel.kexec_load_disabled=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : kernel.kexec_load_disabled = 1 |
Rationale | Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled. |
Disable the use of user namespaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | info |
Identifiers and References | Identifiers: CCE-82211-4 References: FMT_SMF_EXT.1, SC-39, CM-6(a), SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w user.max_user_namespaces=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d :
user.max_user_namespaces = 0When containers are deployed on the machine, the value should be set to large non-zero value. |
Rationale | User namespaces are used primarily for Linux containers. The value 0 disallows the use of user namespaces. |
Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
it is expected that user.max_user_namespaces will be enabled. |
Disable storing core dumps
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82215-5 References: FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w kernel.core_pattern=|/bin/falseTo make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : kernel.core_pattern = |/bin/false |
Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
Disable Access to Network bpf() Syscall From Unprivileged Processes
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82974-7 References: FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067 |
Description | To set the runtime status of the $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : kernel.unprivileged_bpf_disabled = 1 |
Rationale | Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state. |
Restrict usage of ptrace to descendant processes
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80953-3 References: BP28(R25), SRG-OS-000132-GPOS-00067 |
Description | To set the runtime status of the $ sudo sysctl -w kernel.yama.ptrace_scope=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : kernel.yama.ptrace_scope = 1 |
Rationale | Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing). |
Disallow kernel profiling by unprivileged users
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81054-9 References: BP28(R23), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067 |
Description | To set the runtime status of the $ sudo sysctl -w kernel.perf_event_paranoid=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : kernel.perf_event_paranoid = 2 |
Rationale | Kernel profiling can reveal sensitive information about kernel behaviour. |
Harden the operation of the BPF just-in-time compiler
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82934-1 References: FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.core.bpf_jit_harden=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.core.bpf_jit_harden = 2 |
Rationale | When hardened, the extended Berkeley Packet Filter just-in-time compiler
will randomize any kernel addresses in the BPF programs and maps,
and will not expose the JIT addresses in |
Enable Kernel Parameter to Enforce DAC on Hardlinks
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81027-5 References: BP28(R23), 1.6.1, CM-6(a), AC-6(1), SRG-OS-000324-GPOS-00125 |
Description | To set the runtime status of the $ sudo sysctl -w fs.protected_hardlinks=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : fs.protected_hardlinks = 1 |
Rationale | By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of |
Enable Kernel Parameter to Enforce DAC on Symlinks
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81030-9 References: BP28(R23), 1.6.1, CM-6(a), AC-6(1), SRG-OS-000324-GPOS-00125 |
Description | To set the runtime status of the $ sudo sysctl -w fs.protected_symlinks=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : fs.protected_symlinks = 1 |
Rationale | By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
|
Set the UEFI Boot Loader Password
Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_password |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-80829-5 References: 1.4.2, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 11, 12, 14, 15, 16, 18, 3, 5, BP28(R17) |
Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-setpasswordWhen prompted, enter the password that was selected. Once the superuser password has been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg |
Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. |
Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Enable Kernel Page-Table Isolation (KPTI)
Rule ID | xccdf_org.ssgproject.content_rule_grub2_pti_argument |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-82194-2 References: SRG-OS-000433-GPOS-00193, SI-16 |
Description | To enable Kernel page-table isolation,
add the argument GRUB_CMDLINE_LINUX="pti=on" |
Rationale | Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). |
Warnings | warning
The GRUB 2 configuration file, grub.cfg ,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Disable vsyscalls
Rule ID | xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | info |
Identifiers and References | Identifiers: CCE-80946-7 References: SRG-OS-000480-GPOS-00227, CM-7(a) |
Description | To disable use of virtual syscalls,
add the argument GRUB_CMDLINE_LINUX="vsyscall=none" |
Rationale | Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. |
Warnings | warning
The GRUB 2 configuration file, grub.cfg ,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
|
Configure kernel to trust the CPU random number generator
Rule ID | xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83314-5 References: FCS_RBG_EXT.1.1, SRG-OS-000480-GPOS-00227 |
Description | There exist two ways how to ensure that the Linux kernel trusts the CPU
hardware random number generator. If the option is configured during kernel
compilation, e.g. the option sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) random.trust_cpu=on" |
Rationale | The Linux kernel offers an option which signifies if the kernel should trust data provided by CPU hardware random number generator. Hardware random number generators can provide random data very quickly and are used to generate random cryptographic keys. They can be useful during boot time when other means of getting random data can be slow because there is not yet enough entropy in the system. |
Configure TLS for rsyslog remote logging
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_tls |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82457-3 References: AU-9(3), CM-6(a), FCS_TLSC_EXT.1, FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061, 0988, 1405 |
Description | Configure echo 'action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' >> /etc/rsyslog.confReplace the <remote system> in the above command with an IP address or a host name of the remote logging server. |
Rationale | For protection of data being logged, the connection to the remote logging server needs to be authenticated and encrypted. |
Configure CA certificate for rsyslog remote logging
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82458-1 References: FCS_TLSC_EXT.1, FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227, 0988, 1405 |
Description | Configure CA certificate for echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.confReplace the /etc/pki/tls/cert.pem in the above command with the path to the file with CA certificate generated for the purpose of remote logging. |
Rationale | The CA certificate needs to be set or error: ca certificate is not set, cannot continue |
Ensure rsyslog-gnutls is installed
Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82859-0 References: FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061 |
Description | TLS protocol support for rsyslog is installed.
The $ sudo yum install rsyslog-gnutls |
Rationale | The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging. |
Ensure rsyslog is Installed
Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80847-7 References: BP28(R5), NT28(R46), 4.2.1.1, CCI-001311, CCI-001312, 164.312(a)(2)(ii), A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, 1, 14, 15, 16, 3, 5, 6, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024 |
Description | Rsyslog is installed by default. The $ sudo yum install rsyslog |
Rationale | The rsyslog package provides the rsyslog daemon, which provides system logging services. |
Disable Bluetooth Kernel Module
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80832-9 References: 5.13.1.3, 3.1.16, CCI-000085, CCI-001551, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, 11, 12, 14, 15, 3, 8, 9, SRG-OS-000095-GPOS-00049 |
Description | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate install bluetooth /bin/true |
Rationale | If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. |
Disable CAN Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_can_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82059-7 References: FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 |
Description | The Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.
To configure the system to prevent the install can /bin/true |
Rationale | Disabling CAN protects the system against exploitation of any flaws in its implementation. |
Disable IEEE 1394 (FireWire) Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82005-0 References: FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 |
Description | The IEEE 1394 (FireWire) is a serial bus standard for
high-speed real-time communication.
To configure the system to prevent the install firewire-core /bin/true |
Rationale | Disabling FireWire protects the system against exploitation of any flaws in its implementation. |
Disable TIPC Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82297-3 References: CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 3.3.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 |
Description | The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the install tipc /bin/true |
Rationale | Disabling TIPC protects the system against exploitation of any flaws in its implementation. |
Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. |
Disable ATM Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82028-2 References: FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049 |
Description | The Asynchronous Transfer Mode (ATM) is a protocol operating on
network, data link, and physical layers, based on virtual circuits
and virtual paths.
To configure the system to prevent the install atm /bin/true |
Rationale | Disabling ATM protects the system against exploitation of any flaws in its implementation. |
Disable SCTP Support
Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80834-5 References: 3.5.2, 5.10.1, 3.4.6, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, SRG-OS-000095-GPOS-00049 |
Description | The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the install sctp /bin/true |
Rationale | Disabling SCTP protects the system against exploitation of any flaws in its implementation. |
Install firewalld Package
Rule ID | xccdf_org.ssgproject.content_rule_package_firewalld_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82998-6 References: CM-6(a), SRG-OS-000480-GPOS-00227, SRG-OS-000298-GPOS-00116, 3.4.1.1 |
Description | The $ sudo yum install firewalld |
Rationale | The firewalld package should be installed to provide access control methods. |
Verify firewalld Enabled
Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80877-4 References: 3.4.2.1, 3.1.3, 3.4.7, CCI-000366, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9 |
Description | The $ sudo systemctl enable firewalld.service |
Rationale | Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81013-5 References: BP28(R22), 3.1.20, 3.2.1, CCI-000366, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.2.3.4, 4.3.3.4, 4.4.3.3, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.all.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
|
Disable Accepting ICMP Redirects for All IPv6 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81009-3 References: BP28(R22), 3.3.2, 3.1.20, CCI-001551, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.all.accept_redirects = 0 |
Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81010-1 References: BP28(R22), 3.3.2, 3.1.20, CCI-001551, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.default.accept_redirects = 0 |
Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81015-0 References: BP28(R22), 3.1.20, CCI-000366, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.2.3.4, 4.3.3.4, 4.4.3.3, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, SRG-OS-000480-GPOS-00227, 3.2.1 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.default.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
Configure Accepting Router Advertisements on All IPv6 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81006-9 References: 3.2.9, 3.1.20, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.all.accept_ra = 0 |
Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81007-7 References: 3.2.9, 3.1.20, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv6.conf.default.accept_ra = 0 |
Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81022-6 References: CCI-000366, BP28(R22), 3.2.7, 3.1.20, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.2.3.4, 4.3.3.4, 4.4.3.3, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.rp_filter = 1 |
Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81016-8 References: BP28(R22), 3.2.3, 3.1.20, CCI-001503, CCI-001551, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.secure_redirects = 0 |
Rationale | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
Configure Kernel Parameter for Accepting Secure Redirects By Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81017-6 References: BP28(R22), 3.2.3, 3.1.20, CCI-001551, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.secure_redirects = 0 |
Rationale | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80919-4 References: BP28(R22), 3.2.2, 5.10.1.1, 3.1.20, CCI-000366, CCI-001551, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.accept_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
|
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80922-8 References: 3.2.5, 5.10.1.1, 3.1.20, CCI-000366, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.icmp_echo_ignore_broadcasts = 1 |
Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
|
Disable Accepting ICMP Redirects for All IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80917-8 References: BP28(R22), 3.2.2, 5.10.1.1, 3.1.20, CCI-000366, CCI-001503, CCI-001551, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.accept_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
|
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80920-2 References: BP28(R22), 3.2.1, 5.10.1.1, 3.1.20, CCI-000366, CCI-001551, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
|
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81018-4 References: BP28(R22), 3.2.4, 3.1.20, CCI-000126, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.log_martians=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.log_martians = 1 |
Rationale | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81011-9 References: BP28(R22), 3.2.1, 3.1.20, CCI-000366, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.accept_source_route = 0 |
Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
|
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81021-8 References: BP28(R22), 3.2.7, 3.1.20, CCI-000366, CCI-001551, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.2.3.4, 4.3.3.4, 4.4.3.3, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.rp_filter = 1 |
Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81023-4 References: BP28(R22), 3.2.6, 3.1.20, CM-7(a), CM-7(b), SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.icmp_ignore_bogus_error_responses = 1 |
Rationale | Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. |
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-81020-0 References: 3.2.4, 3.1.20, CCI-000126, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, SRG-OS-000480-GPOS-00227 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.log_martians=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.log_martians = 1 |
Rationale | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. |
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81024-2 References: BP28(R22), 3.1.1., 3.1.20, CCI-000366, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.ip_forward=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.ip_forward = 0 |
Rationale | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. |
Warnings | warning
Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking.
Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in
profiles or benchmarks that target usage of IPv4 forwarding. |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80921-0 References: BP28(R22), 3.1.2, 5.10.1.1, 3.1.20, CCI-000366, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.default.send_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
|
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80918-6 References: BP28(R22), 3.1.2, 5.10.1.1, 3.1.20, CCI-000366, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9 |
Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : net.ipv4.conf.all.send_redirects = 0 |
Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
|
Install policycoreutils-python-utils package
Rule ID | xccdf_org.ssgproject.content_rule_package_policycoreutils-python-utils_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82724-6 References: SRG-OS-000480-GPOS-00227 |
Description | The $ sudo yum install policycoreutils-python-utils |
Rationale | This package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox. |
Install policycoreutils Package
Rule ID | xccdf_org.ssgproject.content_rule_package_policycoreutils_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | high |
Identifiers and References | Identifiers: CCE-82976-2 References: SRG-OS-000480-GPOS-00227 |
Description | The $ sudo yum install policycoreutils |
Rationale | Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
with enhanced security functionality designed to add mandatory access controls to Linux.
The Security-enhanced Linux kernel contains new architectural components originally
developed to improve security of the Flask operating system. These architectural components
provide general support for the enforcement of many kinds of mandatory access control
policies, including those based on the concepts of Type Enforcement, Role-based Access
Control, and Multi-level Security.
|
Ensure SELinux State is Enforcing
Configure SELinux Policy
Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80868-3 References: BP28(R66), 1.7.1.3, 3.1.2, 3.7.2, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000445-VMM-001780, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9 |
Description | The SELinux SELINUXTYPE=targetedOther policies, such as mls , provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
Rationale | Setting the SELinux policy to |
Enable Smartcards in SSSD
Rule ID | xccdf_org.ssgproject.content_rule_sssd_enable_smartcards |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80909-5 References: CCI-001954, SRG-OS-000375-GPOS-00160, SRG-OS-000107-VMM-000530, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | SSSD should be configured to authenticate access to the system
using smart cards. To enable smart cards in SSSD, set [pam] pam_cert_auth = true |
Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
|
Configure SSSD to Expire Offline Credentials
Rule ID | xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82460-7 References: CCI-002007, CM-6(a), IA-5(13), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000383-GPOS-00166, SRG-OS-000383-VMM-001570, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5 |
Description | SSSD should be configured to expire offline credentials after 1 day.
To configure SSSD to expire offline credentials, set
[pam] offline_credentials_expiration = 1 |
Rationale | If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
Uninstall Sendmail Package
Rule ID | xccdf_org.ssgproject.content_rule_package_sendmail_removed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-81039-0 References: CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, BP28(R1), SRG-OS-000480-GPOS-00227 |
Description | Sendmail is not the default mail transfer agent and is
not installed by default.
The $ sudo yum erase sendmail |
Rationale | The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. |
Set SSH Client Alive Count Max
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80907-9 References: 5.2.13, 5.5.6, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 |
Description | The SSH server sends at most |
Rationale | This ensures a user login will be terminated as soon as the |
Disable GSSAPI Authentication
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80897-2 References: 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), CM-7(a), CM-7(b), CM-6(a), AC-17(a), PR.IP-1, FTP_ITC_EXT.1, SRG-OS-000364-GPOS-00151, SRG-OS-000480-VMM-002000, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9, 0418, 1055, 1402 |
Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or
correct the following line in the GSSAPIAuthentication no |
Rationale | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. |
Disable Host-Based Authentication
Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80786-7 References: 5.2.9, 5.5.6, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 11, 12, 14, 15, 16, 18, 3, 5, 9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | SSH's cryptographic host-based authentication is
more secure than HostbasedAuthentication no |
Rationale | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. |
Disable SSH Root Login
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80901-2 References: 5.2.10, 5.5.6, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FIA_UAU.1, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, BP28(R19), NT007(R21) |
Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in PermitRootLogin no |
Rationale | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. |
Force frequent session key renegotiation
Rule ID | xccdf_org.ssgproject.content_rule_sshd_rekey_limit |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82177-7 References: FCS_SSHS_EXT.1, SRG-OS-000480-GPOS-00227 |
Description | The |
Rationale | By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited. |
Disable SSH Access via Empty Passwords
SSH server uses strong entropy to seed
Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_strong_rng |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82462-3 References: FCS_RBG_EXT.1.2, SRG-OS-000480-GPOS-00227 |
Description | To set up SSH server to use entropy from a high-quality source, edit the SSH_USE_STRONG_RNG=32 |
Rationale | SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default. Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors in encryption algorithms, and high-quality entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. |
Warnings | warning
This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available. |
Disable Kerberos Authentication
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80898-0 References: 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FTP_ITC_EXT.1, SRG-OS-000364-GPOS-00151, SRG-OS-000480-VMM-002000, SR 7.6, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, 11, 3, 9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561 |
Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos. To disable Kerberos authentication, add
or correct the following line in the KerberosAuthentication no |
Rationale | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. |
Enable Use of Strict Mode Checking
Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80904-6 References: 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-6, AC-17(a), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 |
Description | SSHs StrictModes yes |
Rationale | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. |
Set SSH Idle Timeout Interval
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80906-1 References: 5.2.13, 5.5.6, 3.1.11, CCI-000879, CCI-001133, CCI-002361, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, BP28(R29) |
Description | SSH allows administrators to set an idle timeout interval. After this interval
has passed, the idle user will be automatically logged out.
ClientAliveInterval 840 The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config . Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. |
Rationale | Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. |
Warnings | warning
SSH disconnecting idle clients will not have desired effect without also
configuring ClientAliveCountMax in the SSH service configuration. warning
Following conditions may prevent the SSH session to time out:
|
SSH client uses strong entropy to seed (for CSH like shells)
Rule ID | xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_csh |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83349-1 References: FCS_CKM.1.1, SRG-OS-000480-GPOS-00227 |
Description | To set up SSH client to use entropy from a high-quality source, make sure
that the appropriate shell environment variable is configured. The
setenv SSH_USE_STRONG_RNG 32. |
Rationale | Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources. Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. |
SSH client uses strong entropy to seed (Bash-like shells)
Rule ID | xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_sh |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83346-7 References: FCS_CKM.1.1, SRG-OS-000480-GPOS-00227 |
Description | To set up SSH client to use entropy from a high-quality source, make sure
that the appropriate shell environment variable is configured. The
export SSH_USE_STRONG_RNG=32. |
Rationale | Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources. Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. |
Install OpenSSH client software
Rule ID | xccdf_org.ssgproject.content_rule_package_openssh-clients_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82722-0 References: SRG-OS-000480-GPOS-00227, FIA_UAU.5, FTP_ITC_EXT.1 |
Description | The $ sudo yum install openssh-clients |
Rationale | This package includes utilities to make encrypted connections and transfer files securely to SSH servers. |
Install the OpenSSH Server Package
Rule ID | xccdf_org.ssgproject.content_rule_package_openssh-server_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-83303-8 References: CCI-002418, CCI-002420, CCI-002421, CCI-002422, CM-6(a), PR.DS-2, PR.DS-5, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 13, 14, FIA_UAU.5, FTP_ITC_EXT.1 |
Description | The $ sudo yum install openssh-server |
Rationale | Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. |
The Chrony package is installed
Rule ID | xccdf_org.ssgproject.content_rule_package_chrony_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82874-9 References: 2.2.1.1, 0988, 1405, FMT_SMF_EXT.1, SRG-OS-000355-GPOS-00143 |
Description | System time should be synchronized between all systems in an environment. This is
typically done by establishing an authoritative time server or set of servers and having all
systems synchronize their clocks to them.
The $ sudo yum install chrony |
Rationale | Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations. |
Disable network management of chrony daemon
Rule ID | xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82840-0 References: FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050 |
Description | The |
Rationale | Not exposing the management interface of the chrony daemon on the network diminishes the attack space. |
Disable chrony daemon from acting as server
Rule ID | xccdf_org.ssgproject.content_rule_chronyd_client_only |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | unknown |
Identifiers and References | Identifiers: CCE-82988-7 References: FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050 |
Description | The |
Rationale | Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface. |
Install fapolicyd Package
Rule ID | xccdf_org.ssgproject.content_rule_package_fapolicyd_installed |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82191-8 References: CM-6(a), SI-4(22), SRG-OS-000370-GPOS-00155 |
Description | The $ sudo yum install fapolicyd |
Rationale |
|
Enable the File Access Policy Service
Rule ID | xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82249-4 References: CM-6(a), SI-4(22), FMT_SMF_EXT.1, SRG-OS-000370-GPOS-00155 |
Description | The File Access Policy service should be enabled.
The $ sudo systemctl enable fapolicyd.service |
Rationale | The |
Uninstall Automatic Bug Reporting Tool (abrt)
Rule ID | xccdf_org.ssgproject.content_rule_package_abrt_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_abrt_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80948-3 References: SRG-OS-000095-GPOS-00049 |
Description | The Automatic Bug Reporting Tool ( $ sudo yum erase abrt |
Rationale | Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. |
package abrt is removed oval:ssg-test_package_abrt_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt_removed:obj:1 of type rpminfo_object
Name |
---|
abrt |
Disable KDump Kernel Crash Analyzer (kdump)
Rule ID | xccdf_org.ssgproject.content_rule_service_kdump_disabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-80878-2 References: CCI-000366, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, 11, 12, 14, 15, 3, 8, 9, FMT_SMF_EXT.1.1 |
Description | The $ sudo systemctl mask --now kdump.service |
Rationale | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. |
Uninstall nfs-utils Package
Rule ID | xccdf_org.ssgproject.content_rule_package_nfs-utils_removed |
Result | pass |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_nfs-utils_removed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | low |
Identifiers and References | Identifiers: CCE-82932-5 References: SRG-OS-000095-GPOS-00049 |
Description | The $ sudo yum erase nfs-utils |
Rationale |
|
package nfs-utils is removed oval:ssg-test_package_nfs-utils_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_nfs-utils_removed:obj:1 of type rpminfo_object
Name |
---|
nfs-utils |
Disable Kerberos by removing host keytab
Rule ID | xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82175-1 References: FTP_ITC_EXT.1, SRG-OS-000120-GPOS-00061, 0418, 1055, 1402 |
Description | Kerberos is not an approved key distribution method for
Common Criteria. To prevent using Kerberos by system daemons,
remove the Kerberos keytab files, especially
|
Rationale | The key derivation function (KDF) in Kerberos is not FIPS compatible. |
Install usbguard Package
Rule ID | xccdf_org.ssgproject.content_rule_package_usbguard_installed |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-package_usbguard_installed:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82959-8 References: SRG-OS-000378-GPOS-00163, 1418 |
Description | The $ sudo yum install usbguard |
Rationale |
|
package usbguard is installed oval:ssg-test_package_usbguard_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_usbguard_installed:obj:1 of type rpminfo_object
Name |
---|
usbguard |
Enable the USBGuard Service
Rule ID | xccdf_org.ssgproject.content_rule_service_usbguard_enabled |
Result | notapplicable |
Multi-check rule | no |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82853-3 References: FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, 1418 |
Description | The USBGuard service should be enabled.
The $ sudo systemctl enable usbguard.service |
Rationale | The |
Authorize Human Interface Devices and USB hubs in USBGuard daemon
Rule ID | xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-usbguard_allow_hid_and_hub:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82368-2 References: FMT_SMF_EXT.1, SRG-OS-000114-GPOS-00059 |
Description | To allow authorization of USB devices combining human interface device and hub capabilities
by USBGuard daemon,
add the line
|
Rationale | Without allowing Human Interface Devices, it might not be possible to interact with the system. Without allowing hubs, it might not be possible to use any USB devices on the system. |
Warnings | warning
This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind. |
Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists oval:ssg-test_usbguard_rules_nonempty:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_usbguard_rules_nonempty:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/usbguard/rules.conf | ^.*\S+.*$ | 1 |
Log USBGuard daemon audit events using Linux Audit
Rule ID | xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend |
Result | fail |
Multi-check rule | no |
OVAL Definition ID | oval:ssg-configure_usbguard_auditbackend:def:1 |
Time | 2021-02-11T19:31:22+00:00 |
Severity | medium |
Identifiers and References | Identifiers: CCE-82168-6 References: FMT_SMF_EXT.1, SRG-OS-000062-GPOS-00031 |
Description | To configure USBGuard daemon to log via Linux Audit
(as opposed directly to a file),
|
Rationale | Using the Linux Audit logging allows for centralized trace of events. |
tests the value of AuditBackend setting in the /etc/usbguard/usbguard-daemon.conf file oval:ssg-test_configure_usbguard_auditbackend:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_configure_usbguard_auditbackend:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance |
---|---|---|
/etc/usbguard/usbguard-daemon.conf | ^[ \t]*AuditBackend=(.+?)[ \t]*(?:$|#) | 1 |
The configuration file /etc/usbguard/usbguard-daemon.conf exists for configure_usbguard_auditbackend oval:ssg-test_configure_usbguard_auditbackend_config_file_exists:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_configure_usbguard_auditbackend_config_file:obj:1 of type file_object
Filepath |
---|
^/etc/usbguard/usbguard-daemon.conf |