Guide to the Secure Configuration of Red Hat Enterprise Linux 8
with profile DISA STIG for Red Hat Enterprise Linux 8This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R7. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Evaluation Characteristics
| Evaluation target | podman-image://08b94d2bb1d2e54bbdc2e32eb40c90c69675d72dffb629255da0921d4dac8966 [localhost/twistlock/private:defender_22_06_224] |
|---|---|
| Benchmark URL | /workdir/scap-security-guide-0.1.64/ssg-rhel8-ds-1.2.xml |
| Benchmark ID | xccdf_org.ssgproject.content_benchmark_RHEL-8 |
| Benchmark version | 0.1.64 |
| Profile ID | xccdf_org.ssgproject.content_profile_stig |
| Started at | 2022-11-10T23:33:56 |
| Finished at | 2022-11-10T23:34:01 |
| Performed by | pfox |
| Test system | cpe:/a:redhat:openscap:1.3.2 |
CPE Platforms
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Addresses
- IPv4 127.0.0.1
- IPv4 10.0.0.15
- IPv4 10.88.0.1
- IPv6 0:0:0:0:0:0:0:1
- IPv6 fe80:0:0:0:20d:3aff:fedf:bb4a
- IPv6 fe80:0:0:0:7860:bdff:fe24:18d7
- IPv6 fe80:0:0:0:a44b:fbff:fefc:7909
- IPv6 fe80:0:0:0:907f:fbff:fe08:1397
- MAC 00:00:00:00:00:00
- MAC 00:0D:3A:DF:BB:4A
- MAC 7A:60:BD:24:18:D7
- MAC A6:4B:FB:FC:79:09
- MAC 92:7F:FB:08:13:97
Compliance and Scoring
Rule results
Severity of failed rules
Score
| Scoring system | Score | Maximum | Percent |
|---|---|---|---|
| urn:xccdf:scoring:default | 62.447914 | 100.000000 |
Rule Overview
Result Details
Install AIDE
Configure AIDE to Verify the Audit Tools
| Rule ID | xccdf_org.ssgproject.content_rule_aide_check_audit_tools |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85964-5 References: CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, RHEL-08-030650, SV-230475r833333_rule |
| Description | The operating system file integrity tool must be configured to protect the integrity of the audit tools. |
| Rationale | Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. |
Configure Notification of Post-AIDE Scan Details
| Rule ID | xccdf_org.ssgproject.content_rule_aide_scan_notification |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82891-3 References: BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, RHEL-08-010360, SV-230263r627750_rule |
| Description | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhostOtherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhostAIDE can be executed periodically through other means; this is merely one example. |
| Rationale | Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
|
Configure AIDE to Verify Access Control Lists (ACLs)
| Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_acls |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-84220-3 References: BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040310, SV-230552r627750_rule |
| Description | By default, the FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in
/etc/aide.conf |
| Rationale | ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. |
Configure AIDE to Verify Extended Attributes
| Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-83733-6 References: BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, RHEL-08-040300, SV-230551r627750_rule |
| Description | By default, the FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in
/etc/aide.conf |
| Rationale | Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. |
Audit Tools Must Be Group-owned by Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86239-1 References: CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030640, SV-230474r627750_rule |
| Description | Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct group owner. |
| Rationale | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. |
Audit Tools Must Be Owned by Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_audit_tools_ownership |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86259-9 References: CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, RHEL-08-030630, SV-230473r744008_rule |
| Description | Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct owner. |
| Rationale | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. |
Enable Dracut FIPS Module
| Rule ID | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-82155-3 References: CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule |
| Description | To enable FIPS mode, run the following command: fips-mode-setup --enableTo enable FIPS, the system requires that the fips module is added in dracut configuration.
Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " |
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
systems to protect sensitive information in computer and telecommunication systems
(including voice systems) as defined in Section 5131 of the Information Technology
Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing
and implementing cryptographic modules that Federal departments and agencies operate or are
operated for them under contract.
See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by a vendor that has
undergone this certification. This means providing documentation, test results, design
information, and independent third party review by an accredited lab. While open source
software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
this process. |
Enable FIPS Mode
| Rule ID | xccdf_org.ssgproject.content_rule_enable_fips_mode |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80942-6 References: CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule |
| Description | To enable FIPS mode, run the following command: fips-mode-setup --enable The fips-mode-setup command will configure the system in
FIPS mode by automatically configuring the following:
|
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
You can find the list of FIPS certified modules at
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search.
This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means. |
Set kernel parameter 'crypto.fips_enabled' to 1
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-84027-2 References: CCI-000068, CCI-000803, CCI-000877, CCI-001453, CCI-002418, CCI-002450, CCI-002890, CCI-003123, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590, RHEL-08-010020, SV-230223r792855_rule |
| Description | System running in FIPS mode is indicated by kernel parameter
fips-mode-setup --enableTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. |
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
systems to protect sensitive information in computer and telecommunication systems
(including voice systems) as defined in Section 5131 of the Information Technology
Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing
and implementing cryptographic modules that Federal departments and agencies operate or are
operated for them under contract.
See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by a vendor that has
undergone this certification. This means providing documentation, test results, design
information, and independent third party review by an accredited lab. While open source
software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
this process. |
Configure BIND to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_bind_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80934-3 References: CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190, RHEL-08-010020, SV-230223r792855_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
BIND is supported by crypto policy, but the BIND configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the |
| Rationale | Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented. |
package bind is removed oval:ssg-test_package_bind_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_bind_removed:obj:1 of type rpminfo_object
| Name |
|---|
| bind |
Check that the configuration includes the policy config file. oval:ssg-test_configure_bind_crypto_policy:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_bind_crypto_policy:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/named.conf | ^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$ | 1 |
Configure System Cryptography Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80935-0 References: 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule |
| Description | To configure the system cryptography policy to use ciphers only from the $ sudo update-crypto-policies --set FIPSThe rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. |
| Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
check for crypto policy correctly configured in /etc/crypto-policies/config oval:ssg-test_configure_crypto_policy:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/config | FIPS:OSPP |
check for crypto policy correctly configured in /etc/crypto-policies/state/current oval:ssg-test_configure_crypto_policy_current:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/state/current | FIPS:OSPP |
Check if update-crypto-policies has been run oval:ssg-test_crypto_policies_updated:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1667691025 |
Check if /etc/crypto-policies/back-ends/nss.config exists oval:ssg-test_crypto_policy_nss_config:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/crypto-policies/back-ends/nss.config | regular | 0 | 0 | 351 | rw-r--r-- |
Configure GnuTLS library to use DoD-approved TLS Encryption
| Rule ID | xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_gnutls_tls_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84254-2 References: CCI-001453, AC-17(2), SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187, RHEL-08-010295, SV-230256r792859_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
GnuTLS is supported by system crypto policy, but the GnuTLS configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
|
| Rationale | Overriding the system crypto policy makes the behavior of the GnuTLS library violate expectations, and makes system configuration more fragmented. |
tests the presence of '+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' setting in the /etc/crypto-policies/back-ends/gnutls.config file oval:ssg-test_configure_gnutls_tls_crypto_policy:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_configure_gnutls_tls_crypto_policy:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/crypto-policies/back-ends/gnutls.config | \+VERS-ALL:-VERS-DTLS0\.9:-VERS-SSL3\.0:-VERS-TLS1\.0:-VERS-TLS1\.1:-VERS-DTLS1\.0 | 1 |
Configure Kerberos to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_kerberos_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80936-8 References: 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, RHEL-08-010020, SV-230223r792855_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. |
| Rationale | Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented. |
Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1 error
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /etc/crypto-policies/back-ends/krb5.config |
Check if kerberos configuration symlink links to the crypto-policy backend file oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /etc/crypto-policies/back-ends/krb5.config |
Configure Libreswan to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_libreswan_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80937-6 References: CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, SRG-OS-000033-GPOS-00014, RHEL-08-010020, SV-230223r792855_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Libreswan is supported by system crypto policy, but the Libreswan configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the |
| Rationale | Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented. |
package libreswan is installed oval:ssg-test_package_libreswan_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreswan_installed:obj:1 of type rpminfo_object
| Name |
|---|
| libreswan |
Check that the libreswan configuration includes the crypto policy config file oval:ssg-test_configure_libreswan_crypto_policy:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_libreswan_crypto_policy:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/ipsec.conf | ^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$ | 1 |
Configure OpenSSL library to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_openssl_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80938-4 References: CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), SRG-OS-000250-GPOS-00093, RHEL-08-010293, SV-230254r627750_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under |
| Rationale | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented. |
Check that the configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_openssl_crypto_policy:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pki/tls/openssl.cnf | [ crypto_policy ] .include /etc/crypto-policies/back-ends/opensslcnf.config |
Configure OpenSSL library to use TLS Encryption
| Rule ID | xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_openssl_tls_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84255-9 References: CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010294, SV-230255r809382_rule |
| Description | Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. OpenSSL is by default configured to modify its configuration based on currently configured Crypto Policy. Editing the Crypto Policy back-end is not recommended. Check the crypto-policies(7) man page and choose a policy that configures TLS protocol to version 1.2 or higher, for example DEFAULT, FUTURE or FIPS policy. Or create and apply a custom policy that restricts minimum TLS version to 1.2. For example for versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch this is expected: $ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config MinProtocol = TLSv1.2Or for version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer this is expected: $ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config TLS.MinProtocol = TLSv1.2 DTLS.MinProtocol = DTLSv1.2 |
| Rationale | Without cryptographic integrity protections, information can be altered by unauthorized users without detection. |
| Warnings | warning
This rule doesn't come with a remediation, automatically changing the crypto-policies may be too disruptive.
Ensure the variable xccdf_org.ssgproject.content_value_var_system_crypto_policy is set to a
Crypto Policy that satisfies OpenSSL minimum TLS protocol version 1.2. Custom policies may be applied too. |
Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_openssl_tls_crypto_policy:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/opensslcnf.config | TLS.MinProtocol = TLSv1.2 |
Installed version of crypto-policies is older than 20210617-1 oval:ssg-test_installed_version_of_crypto_policies:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| crypto-policies | noarch | (none) | 1.gitae470d6.el8 | 20211116 | 0:20211116-1.gitae470d6.el8 | 199e2f91fd431d51 | crypto-policies-0:20211116-1.gitae470d6.el8.noarch |
Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_openssl_dtls_crypto_policy:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/opensslcnf.config | DTLS.MinProtocol = DTLSv1.2 |
Configure SSH to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_ssh_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80939-2 References: CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r809334_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the |
| Rationale | Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented. |
Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_ssh_crypto_policy:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sysconfig/sshd | ^\s*(?i)CRYPTO_POLICY\s*=.*$ | 1 |
Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_ciphers_openssh_conf_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-85902-5 References: CCI-000068, CCI-000877, CCI-001453, CCI-002418, CCI-002890, CCI-003123, AC-17(2), SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187, RHEL-08-010020, SV-230223r792855_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings for ciphers are configured correctly, ensure that
Ciphers aes256-ctr,aes192-ctr,aes128-ctr |
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
test the value of Ciphers setting in the /etc/crypto-policies/back-ends/openssh.config file oval:ssg-test_harden_sshd_ciphers_openssh_conf_crypto_policy:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/openssh.config | Ciphers aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc |
Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_ciphers_opensshserver_conf_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85897-7 References: CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010291, SV-230252r743940_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings for ciphers are configured correctly, ensure that
-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr |
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
test the value of Ciphers setting in the /etc/crypto-policies/back-ends/opensshserver.config file oval:ssg-test_harden_sshd_ciphers_opensshserver_conf_crypto_policy:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/opensshserver.config | CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512' |
Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_macs_openssh_conf_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85870-4 References: CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010020, SV-230223r792855_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings are configured correctly, ensure that
|
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
test the value of MACs setting in the /etc/crypto-policies/back-ends/openssh.config file oval:ssg-test_harden_sshd_macs_openssh_conf_crypto_policy:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/openssh.config | MACs hmac-sha2-256,hmac-sha2-512 |
Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85899-3 References: CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, RHEL-08-010290, SV-230251r743937_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings are configured correctly, ensure that
|
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
test the value of MACs setting in the /etc/crypto-policies/back-ends/opensshserver.config file oval:ssg-test_harden_sshd_macs_opensshserver_conf_crypto_policy:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/opensshserver.config | CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512' |
The Installed Operating System Is Vendor Supported
| Rule ID | xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-installed_OS_is_vendor_supported:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80947-5 References: 18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, CM-6(a), MA-6, SA-13(a), ID.RA-1, PR.IP-12, SRG-OS-000480-GPOS-00227, RHEL-08-010000, SV-230221r743913_rule |
| Description | The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches. |
| Rationale | An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. |
| Warnings | warning
There is no remediation besides switching to a different operating system. |
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | (none) | 0.1.el8 | 8.6 | 0:8.6-0.1.el8 | 199e2f91fd431d51 | redhat-release-0:8.6-0.1.el8.x86_64 |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | (none) | 0.1.el8 | 8.6 | 0:8.6-0.1.el8 | 199e2f91fd431d51 | redhat-release-0:8.6-0.1.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | (none) | 0.1.el8 | 8.6 | 0:8.6-0.1.el8 | 199e2f91fd431d51 | redhat-release-0:8.6-0.1.el8.x86_64 |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | (none) | 0.1.el8 | 8.6 | 0:8.6-0.1.el8 | 199e2f91fd431d51 | redhat-release-0:8.6-0.1.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel9_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel9_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release is version 9 oval:ssg-test_rhel9:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release |
redhat-release is version 9 oval:ssg-test_rhel9:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | (none) | 0.1.el8 | 8.6 | 0:8.6-0.1.el8 | 199e2f91fd431d51 | redhat-release-0:8.6-0.1.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 9 oval:ssg-test_rhevh_rhel9_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 9 oval:ssg-test_rhevh_rhel9_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel9_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel9_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release is version 9 oval:ssg-test_rhel9:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release |
redhat-release is version 9 oval:ssg-test_rhel9:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | (none) | 0.1.el8 | 8.6 | 0:8.6-0.1.el8 | 199e2f91fd431d51 | redhat-release-0:8.6-0.1.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 9 oval:ssg-test_rhevh_rhel9_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 9 oval:ssg-test_rhevh_rhel9_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
| Name |
|---|
| oraclelinux-release |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
| Name |
|---|
| oraclelinux-release |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
| Name |
|---|
| oraclelinux-release |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
| Name |
|---|
| oraclelinux-release |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
| Name |
|---|
| oraclelinux-release |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
| Name |
|---|
| oraclelinux-release |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
| Name |
|---|
| oraclelinux-release |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol8_system:obj:1 of type rpminfo_object
| Name |
|---|
| oraclelinux-release |
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
SLES_SAP-release is version 12 oval:ssg-test_sles_12_for_sap:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
SLES_SAP-release is version 12 oval:ssg-test_sles_12_for_sap:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
SLES_SAP-release is version 12 oval:ssg-test_sles_12_for_sap:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
SLES_SAP-release is version 12 oval:ssg-test_sles_12_for_sap:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
SLES_SAP-release is version 15 oval:ssg-test_sles_15_for_sap:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
SLES_SAP-release is version 15 oval:ssg-test_sles_15_for_sap:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
SLES_SAP-release is version 15 oval:ssg-test_sles_15_for_sap:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
SLES_SAP-release is version 15 oval:ssg-test_sles_15_for_sap:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
Install McAfee Endpoint Security for Linux (ENSL)
| Rule ID | xccdf_org.ssgproject.content_rule_package_mcafeetp_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86260-7 References: CCI-001233, SI-2(2), SRG-OS-000191-GPOS-00080, RHEL-08-010001, SV-245540r754730_rule |
| Description | Install McAfee Endpoint Security for Linux antivirus software
which is provided for DoD systems and uses signatures to search for the
presence of viruses on the filesystem.
The $ sudo yum install McAfeeTP |
| Rationale | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. |
| Warnings | warning
Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software,
automated remediation is not available for this configuration check. |
Ensure McAfee Endpoint Security for Linux (ENSL) is running
| Rule ID | xccdf_org.ssgproject.content_rule_agent_mfetpd_running |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86261-5 References: CCI-001233, SI-2(2), SRG-OS-000191-GPOS-00080, RHEL-08-010001, SV-245540r754730_rule |
| Description | Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. |
| Rationale | Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. |
| Warnings | warning
Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software,
automated remediation is not available for this configuration check. |
Encrypt Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_encrypt_partitions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80789-1 References: 13, 14, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.13.16, CCI-001199, CCI-002475, CCI-002476, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), SR 3.4, SR 4.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000404-VMM-001650, SRG-OS-000405-VMM-001660, RHEL-08-010030, SV-230224r809268_rule |
| Description | Red Hat Enterprise Linux 8 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASEAny PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
By default, the Anaconda installer uses aes-xts-plain64 cipher
with a minimum 512 bit key size which should be compatible with FIPS enabled.
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 8 Documentation web site: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening . |
| Rationale | The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. |
Ensure /home Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-81044-0 References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.7.1, SV-230328r627750_rule |
| Description | If user home directories will be stored locally, create a separate partition
for |
| Rationale | Ensuring that |
Ensure /tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80851-9 References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2.1, SV-230295r627750_rule |
| Description | The |
| Rationale | The |
Ensure /var Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80852-7 References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010540, 1.1.3.1, SV-230292r627750_rule |
| Description | The |
| Rationale | Ensuring that |
Ensure /var/log Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80853-5 References: BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010541, 1.1.5.1, SV-230293r627750_rule |
| Description | System logs are stored in the |
| Rationale | Placing |
Ensure /var/log/audit Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80854-3 References: BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010542, 1.1.6.1, SV-230294r627750_rule |
| Description | Audit logs are stored in the |
| Rationale | Placing |
Ensure /var/tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_tmp |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82730-3 References: BP28(R12), SRG-OS-000480-GPOS-00227, RHEL-08-010544, 1.1.4.1, SV-244529r743836_rule |
| Description | The |
| Rationale | The |
Disable the GNOME3 Login User List
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86195-5 References: CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, RHEL-08-020032, SV-244536r743857_rule |
| Description | In the default graphical environment, users logging directly into the
system are greeted with a login screen that displays all known users.
This functionality should be disabled by setting [org/gnome/login-screen] disable-user-list=trueOnce the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/login-screen/disable-user-listAfter the settings have been set, run dconf update. |
| Rationale | Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. |
Enable the GNOME3 Screen Locking On Smartcard Removal
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83910-0 References: CCI-000056, CCI-000058, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020050, SV-230351r792899_rule |
| Description | In the default graphical environment, screen locking on smartcard removal
can be enabled by setting [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen'Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/settings-daemon/peripherals/smartcard/removal-actionAfter the settings have been set, run dconf update. |
| Rationale | Locking the screen automatically when removing the smartcard can prevent undesired access to system. |
Disable GDM Automatic Login
| Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80823-8 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.1, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-6(1), CM-7(b), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00229, RHEL-08-010820, SV-230329r627750_rule |
| Description | The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the [daemon] AutomaticLoginEnable=false |
| Rationale | Failure to restrict system access to authenticated users negatively impacts operating system security. |
Set GNOME3 Screensaver Inactivity Timeout
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80775-0 References: 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020060, SV-230352r646876_rule |
| Description | The idle time-out value for inactivity in the GNOME3 desktop is configured via the [org/gnome/desktop/session] idle-delay=uint32 900 |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. |
Set GNOME3 Screensaver Lock Delay After Activation Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80776-8 References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020031, SV-244535r743854_rule |
| Description | To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set [org/gnome/desktop/screensaver] lock-delay=uint32 5After the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. |
Enable GNOME3 Screensaver Lock After Idle Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80777-6 References: 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000058, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020030, SV-230347r627750_rule |
| Description |
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set [org/gnome/desktop/screensaver] lock-enabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabledAfter the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. |
Ensure Users Cannot Change GNOME3 Screensaver Settings
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80780-0 References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020080, SV-230354r743990_rule |
| Description | If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delayAfter the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. |
Ensure Users Cannot Change GNOME3 Session Idle Settings
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80781-8 References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020081, SV-244538r743863_rule |
| Description | If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. |
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-84028-0 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.2, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-7(b), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-040171, SV-230530r646883_rule |
| Description | By default, [org/gnome/settings-daemon/plugins/media-keys] logout=''Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logoutAfter the settings have been set, run dconf update. |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_remove_no_authenticate:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82202-3 References: BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010381, SV-230272r627750_rule |
| Description | The sudo |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
|
!authenticate does not exist in /etc/sudoers oval:ssg-test_no_authenticate_etc_sudoers:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
!authenticate does not exist in /etc/sudoers.d oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sudoers.d | ^.*$ | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_remove_nopasswd:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82197-5 References: BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, RHEL-08-010380, SV-230271r833301_rule |
| Description | The sudo |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
|
| Warnings | warning
This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
RHV requires to perform operations as root without being asked for password. |
NOPASSWD does not exist /etc/sudoers oval:ssg-test_nopasswd_etc_sudoers:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ | 1 |
NOPASSWD does not exist in /etc/sudoers.d oval:ssg-test_nopasswd_etc_sudoers_d:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers_d:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sudoers.d | ^.*$ | ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ | 1 |
The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_require_reauthentication |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_require_reauthentication:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-87838-9 References: CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010384, 5.3.5, SV-237643r838720_rule |
| Description | The sudo |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
|
check correct configuration in /etc/sudoers oval:ssg-test_sudo_timestamp_timeout:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sudo_timestamp_timeout:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/sudoers(\.d/.*)?$ | ^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$ | 1 |
Ensure sudo only includes the default configuration directory
| Rule ID | xccdf_org.ssgproject.content_rule_sudoers_default_includedir |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudoers_default_includedir:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86377-9 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010379, SV-251711r833385_rule |
| Description | Administrators can configure authorized |
| Rationale | Some |
test none sudoers #include or @include oval:ssg-test_sudoers_without_include:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_include:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^[#@]include[\s]+.*$ | 1 |
test none sudoers #includedir or @includdir oval:ssg-test_sudoers_without_includedir:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_includedir:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^[#@]includedir[\s]+.*$ | 1 |
test only one sudoers #includedir oval:ssg-test_sudoers_default_includedir:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_default_includedir:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^#includedir[\s]+(.*)$ | 1 |
test none sudoers #include or @include oval:ssg-test_sudoers_without_include:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_include:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^[#@]include[\s]+.*$ | 1 |
test none sudoers @includedir oval:ssg-test_sudoers_without_includedir_new:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_include_new:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^@includedir[\s]+.*$ | 1 |
test none sudoers.d #include, @include, #includedir or @includedir oval:ssg-test_sudoersd_without_includes:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoersd_without_includes:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sudoers.d/ | .* | ^[#@]include(?:dir)?[\s]+.*$ | 1 |
Ensure invoking users password for privilege escalation when using sudo
| Rule ID | xccdf_org.ssgproject.content_rule_sudoers_validate_passwd |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudoers_validate_passwd:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83422-6 References: CCI-000366, CCI-002227, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010383, SV-237642r833369_rule |
| Description | The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for: sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' Defaults !targetpw
Defaults !rootpw
Defaults !runaspw
or if cvtsudoers not supported:
sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
/etc/sudoers:Defaults !targetpw
/etc/sudoers:Defaults !rootpw
/etc/sudoers:Defaults !runaspw |
| Rationale | If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. |
Ensure invoking user's password for privilege escalation when using sudo oval:ssg-test_sudoers_targetpw_config:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_targetpw_config:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults !targetpw$\r?\n | 1 |
Ensure invoking user's password for privilege escalation when using sudo oval:ssg-test_sudoers_rootpw_config:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_rootpw_config:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults !rootpw$\r?\n | 1 |
Ensure invoking user's password for privilege escalation when using sudo oval:ssg-test_sudoers_runaspw_config:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_runaspw_config:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults !runaspw$\r?\n | 1 |
Ensure invoking user's password for privilege escalation when using sudo oval:ssg-test_sudoers_targetpw_not_defined:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_targetpw_not_defined:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults targetpw$\r?\n | 1 |
Ensure invoking user's password for privilege escalation when using sudo oval:ssg-test_sudoers_rootpw_not_defined:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_rootpw_not_defined:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults rootpw$\r?\n | 1 |
Ensure invoking user's password for privilege escalation when using sudo oval:ssg-test_sudoers_runaspw_not_defined:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_sudoers_runaspw_not_defined:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/sudoers(\.d/.*)?$ | ^Defaults runaspw$\r?\n | 1 |
Install rng-tools Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_rng-tools_installed |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rng-tools_installed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82968-9 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010472, SV-244527r743830_rule |
| Description | The $ sudo yum install rng-tools |
| Rationale |
|
package rng-tools is installed oval:ssg-test_package_rng-tools_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rng-tools_installed:obj:1 of type rpminfo_object
| Name |
|---|
| rng-tools |
Uninstall abrt-addon-ccpp Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-addon-ccpp_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82919-2 References: CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule |
| Description | The $ sudo yum erase abrt-addon-ccpp |
| Rationale |
|
package abrt-addon-ccpp is removed oval:ssg-test_package_abrt-addon-ccpp_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-ccpp_removed:obj:1 of type rpminfo_object
| Name |
|---|
| abrt-addon-ccpp |
Uninstall abrt-addon-kerneloops Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-addon-kerneloops_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82926-7 References: CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule |
| Description | The $ sudo yum erase abrt-addon-kerneloops |
| Rationale |
|
package abrt-addon-kerneloops is removed oval:ssg-test_package_abrt-addon-kerneloops_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-addon-kerneloops_removed:obj:1 of type rpminfo_object
| Name |
|---|
| abrt-addon-kerneloops |
Uninstall abrt-cli Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-cli_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-cli_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82907-7 References: CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule |
| Description | The $ sudo yum erase abrt-cli |
| Rationale |
|
package abrt-cli is removed oval:ssg-test_package_abrt-cli_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-cli_removed:obj:1 of type rpminfo_object
| Name |
|---|
| abrt-cli |
Uninstall abrt-plugin-sosreport Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-plugin-sosreport_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82910-1 References: CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule |
| Description | The $ sudo yum erase abrt-plugin-sosreport |
| Rationale |
|
package abrt-plugin-sosreport is removed oval:ssg-test_package_abrt-plugin-sosreport_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-plugin-sosreport_removed:obj:1 of type rpminfo_object
| Name |
|---|
| abrt-plugin-sosreport |
Uninstall gssproxy Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_gssproxy_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_gssproxy_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82943-2 References: CCI-000381, CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040370, SV-230559r646887_rule |
| Description | The $ sudo yum erase gssproxy |
| Rationale |
|
| Warnings | warning
This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
RHV uses NFS storage, which has dependency on gssproxy. |
package gssproxy is removed oval:ssg-test_package_gssproxy_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gssproxy_removed:obj:1 of type rpminfo_object
| Name |
|---|
| gssproxy |
Uninstall iprutils Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_iprutils_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_iprutils_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82946-5 References: CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040380, SV-230560r627750_rule |
| Description | The $ sudo yum erase iprutils |
| Rationale |
|
package iprutils is removed oval:ssg-test_package_iprutils_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_iprutils_removed:obj:1 of type rpminfo_object
| Name |
|---|
| iprutils |
Uninstall krb5-workstation Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_krb5-workstation_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82931-7 References: CCI-000803, SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061, RHEL-08-010162, SV-230239r646864_rule |
| Description | The $ sudo yum erase krb5-workstation |
| Rationale | Kerberos is a network authentication system. The |
| Warnings | warning
This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
RHV hosts require ipa-client package, which has dependency on krb5-workstation. |
package krb5-workstation is removed oval:ssg-test_package_krb5-workstation_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_krb5-workstation_removed:obj:1 of type rpminfo_object
| Name |
|---|
| krb5-workstation |
Uninstall libreport-plugin-logger Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_libreport-plugin-logger_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-89201-8 References: CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule |
| Description | The $ sudo yum erase libreport-plugin-logger |
| Rationale |
|
package libreport-plugin-logger is removed oval:ssg-test_package_libreport-plugin-logger_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreport-plugin-logger_removed:obj:1 of type rpminfo_object
| Name |
|---|
| libreport-plugin-logger |
Uninstall libreport-plugin-rhtsupport Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_libreport-plugin-rhtsupport_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_libreport-plugin-rhtsupport_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-88955-0 References: CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule |
| Description | The $ sudo yum erase libreport-plugin-rhtsupport |
| Rationale |
|
package libreport-plugin-rhtsupport is removed oval:ssg-test_package_libreport-plugin-rhtsupport_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreport-plugin-rhtsupport_removed:obj:1 of type rpminfo_object
| Name |
|---|
| libreport-plugin-rhtsupport |
Uninstall python3-abrt-addon Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_python3-abrt-addon_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_python3-abrt-addon_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-86084-1 References: CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule |
| Description | The $ sudo yum erase python3-abrt-addon |
| Rationale |
|
package python3-abrt-addon is removed oval:ssg-test_package_python3-abrt-addon_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_python3-abrt-addon_removed:obj:1 of type rpminfo_object
| Name |
|---|
| python3-abrt-addon |
Uninstall tuned Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tuned_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tuned_removed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82904-4 References: CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040390, SV-230561r627750_rule |
| Description | The $ sudo yum erase tuned |
| Rationale |
|
| Warnings | warning
This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
RHV requires tuned package for tuning profiles that can enhance virtualization performance. |
package tuned is removed oval:ssg-test_package_tuned_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tuned_removed:obj:1 of type rpminfo_object
| Name |
|---|
| tuned |
Ensure yum Removes Previous Package Versions
| Rule ID | xccdf_org.ssgproject.content_rule_clean_components_post_updating |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82476-3 References: 18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, 3.4.8, CCI-002617, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(6), CM-11(a), CM-11(b), CM-6(a), ID.RA-1, PR.IP-12, SRG-OS-000437-GPOS-00194, SRG-OS-000437-VMM-001760, RHEL-08-010440, SV-230281r627750_rule |
| Description |
|
| Rationale | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. |
Ensure gpgcheck Enabled In Main yum Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80790-9 References: BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-08-010370, 1.2.3, SV-230264r627750_rule |
| Description | The gpgcheck=1 |
| Rationale | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
|
Ensure gpgcheck Enabled for Local Packages
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80791-7 References: BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-08-010371, SV-230265r627750_rule |
| Description |
|
| Rationale | Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
|
Ensure gpgcheck Enabled for All yum Package Repositories
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_never_disabled:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80792-5 References: BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-08-010370, SV-230264r627750_rule |
| Description | To ensure signature checking is not disabled for
any repos, remove any lines from files in gpgcheck=0 |
| Rationale | Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." |
check for existence of gpgcheck=0 in /etc/yum.repos.d/ files oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/yum.repos.d | .* | ^\s*gpgcheck\s*=\s*0\s*$ | 1 |
Ensure Red Hat GPG Key Installed
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_redhat_gpgkey_installed:def:1 |
| Time | 2022-11-10T23:33:56 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80795-8 References: BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, 1.2.2 |
| Description | To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEYAlternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release |
| Rationale | Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | (none) | 0.1.el8 | 8.6 | 0:8.6-0.1.el8 | 199e2f91fd431d51 | redhat-release-0:8.6-0.1.el8.x86_64 |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | (none) | 0.1.el8 | 8.6 | 0:8.6-0.1.el8 | 199e2f91fd431d51 | redhat-release-0:8.6-0.1.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | (none) | 0.1.el8 | 8.6 | 0:8.6-0.1.el8 | 199e2f91fd431d51 | redhat-release-0:8.6-0.1.el8.x86_64 |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | (none) | 0.1.el8 | 8.6 | 0:8.6-0.1.el8 | 199e2f91fd431d51 | redhat-release-0:8.6-0.1.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
Red Hat release key package is installed oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
| gpg-pubkey | (none) | (none) | 5b32db75 | d4082792 | 0:d4082792-5b32db75 | 0 | gpg-pubkey-0:d4082792-5b32db75.(none) |
Red Hat auxiliary key package is installed oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
| gpg-pubkey | (none) | (none) | 5b32db75 | d4082792 | 0:d4082792-5b32db75 | 0 | gpg-pubkey-0:d4082792-5b32db75.(none) |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Check os-release ID oval:ssg-test_centos8_name:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/os-release | ^ID="(\w+)"$ | 1 |
Check os-release ID oval:ssg-test_centos8_name:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/os-release | ID="rhel" |
Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-object_unix_family:obj:1 of type family_object
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Check os-release ID oval:ssg-test_centos8_name:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_name_centos8:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/os-release | ^ID="(\w+)"$ | 1 |
Check os-release ID oval:ssg-test_centos8_name:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/os-release | ID="rhel" |
Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
Check os-release VERSION_ID oval:ssg-test_centos8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_version_centos8:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/os-release | ^VERSION_ID="(\d)"$ | 1 |
CentOS8 key package is installed oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| gpg-pubkey | (none) | (none) | 4ae0493b | fd431d51 | 0:fd431d51-4ae0493b | 0 | gpg-pubkey-0:fd431d51-4ae0493b.(none) |
| gpg-pubkey | (none) | (none) | 5b32db75 | d4082792 | 0:d4082792-5b32db75 | 0 | gpg-pubkey-0:d4082792-5b32db75.(none) |
Ensure Software Patches Installed
| Rule ID | xccdf_org.ssgproject.content_rule_security_patches_up_to_date |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80865-9 References: BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, RHEL-08-010010, 1.9, SV-230222r627750_rule |
| Description | If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. |
| Rationale | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. |
| Warnings | warning
The OVAL feed of Red Hat Enterprise Linux 8 is not a XML file, which may not be understood by all scanners. |
Account Lockouts Must Be Logged
| Rule ID | xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_passwords_pam_faillock_audit:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86107-0 References: CCI-000044, AC-7 (a), SRG-OS-000021-GPOS-00005, RHEL-08-020021, SV-230343r743981_rule |
| Description | PAM faillock locks an account due to excessive password failures, this event must be logged. |
| Rationale | Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. |
Check the presence of audit parameter in system-auth oval:ssg-test_pam_faillock_audit_parameter_system_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/system-auth | 1 |
Check the presence of audit parameter in password-auth oval:ssg-test_pam_faillock_audit_parameter_password_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/password-auth | 1 |
Check the absence of audit parameter in /etc/security/faillock.conf oval:ssg-test_pam_faillock_audit_parameter_no_faillock_conf:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/security/faillock.conf | ^\s*audit | 1 |
Check the absence of audit parameter in system-auth oval:ssg-test_pam_faillock_audit_parameter_no_pamd_system:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/system-auth | 1 |
Check the absence of audit parameter in password-auth oval:ssg-test_pam_faillock_audit_parameter_no_pamd_password:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/password-auth | 1 |
Check the expected audit value in in /etc/security/faillock.conf oval:ssg-test_pam_faillock_audit_parameter_faillock_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/security/faillock.conf | ^\s*audit | 1 |
Limit Password Reuse: password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83478-8 References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, SRG-OS-000077-VMM-000440, RHEL-08-020220, 5.5.3, SV-230368r810414_rule |
| Description | Do not allow users to reuse recent passwords. This can be accomplished by using the
password control_flag pam_pwhistory.so ...existing_options... remember=5 use_authtokcontrol_flag should be one of the next values: required |
| Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report. |
Limit Password Reuse: system-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83480-4 References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, SRG-OS-000077-VMM-000440, RHEL-08-020221, 5.5.3, SV-251717r810415_rule |
| Description | Do not allow users to reuse recent passwords. This can be accomplished by using the
password control_flag pam_pwhistory.so ...existing_options... remember=5 use_authtokcontrol_flag should be one of the next values: required |
| Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report. |
Lock Accounts After Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80667-9 References: BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050, RHEL-08-020010, 5.4.2, 5.5.2, SV-230332r627750_rule |
| Description | This rule configures the system to lock out accounts after a number of incorrect login attempts
using |
| Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
Configure the root Account for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80668-7 References: BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-08-020022, SV-230344r646874_rule |
| Description | This rule configures the system to lock out the |
| Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
Set Interval For Counting Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80669-5 References: BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050, RHEL-08-020012, SV-230334r627750_rule |
| Description | Utilizing |
| Rationale | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
Set Lockout Time for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80670-3 References: BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000329-VMM-001180, RHEL-08-020016, 5.4.2, SV-230338r627750_rule |
| Description | This rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using |
| Rationale | By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. |
| Warnings | warning
If the system supports the new /etc/security/faillock.conf file but the
pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and
/etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter
to /etc/security/faillock.conf to ensure compatibility with authselect tool.
The parameters deny and fail_interval, if used, also have to be migrated
by their respective remediation.warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80653-9 References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, SRG-OS-000071-VMM-000380, RHEL-08-020130, SV-230359r833317_rule |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
|
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86233-4 References: CCI-000366, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), SRG-OS-000480-GPOS-00225, RHEL-08-020300, SV-230377r833331_rule |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
|
Ensure PAM Enforces Password Requirements - Minimum Different Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_difok |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80654-7 References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(b), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, SRG-OS-000072-VMM-000390, RHEL-08-020170, SV-230363r833325_rule |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.
|
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80655-4 References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000070-GPOS-00038, SRG-OS-000070-VMM-000370, RHEL-08-020120, SV-230358r833315_rule |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
|
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81034-1 References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020140, SV-230360r833319_rule |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
|
Set Password Maximum Consecutive Repeating Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82066-2 References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020150, SV-230361r833321_rule |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
|
Ensure PAM Enforces Password Requirements - Minimum Different Categories
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82046-4 References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020160, 5.5.1, SV-230362r833323_rule |
| Description | The pam_pwquality module's * Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation)Modify the minclass setting in /etc/security/pwquality.conf entry
to require 4
differing categories of characters when changing passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
|
Ensure PAM Enforces Password Requirements - Minimum Length
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80656-2 References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, SRG-OS-000072-VMM-000390, SRG-OS-000078-VMM-000450, RHEL-08-020230, 5.5.1, SV-230369r833327_rule |
| Description | The pam_pwquality module's |
| Rationale | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
|
Ensure PAM Enforces Password Requirements - Minimum Special Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80663-8 References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, SRG-OS-000266-GPOS-00101, SRG-OS-000266-VMM-000940, RHEL-08-020280, SV-230375r833329_rule |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
|
Ensure PAM password complexity module is enabled in password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85877-9 References: CCI-000366, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPOS-00227, RHEL-08-020100, SV-230356r809379_rule |
| Description | To enable PAM password complexity in password-auth file:
Edit the |
| Rationale | Enabling PAM password complexity permits to enforce strong passwords and consequently makes the system less prone to dictionary attacks. |
Ensure PAM password complexity module is enabled in system-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85872-0 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-020101, SV-251713r810407_rule |
| Description | To enable PAM password complexity in system-auth file:
Edit the |
| Rationale | Enabling PAM password complexity permits to enforce strong passwords and consequently makes the system less prone to dictionary attacks. |
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80664-6 References: 1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, RHEL-08-020104, 5.4.1, SV-251716r833387_rule |
| Description | To configure the number of retry prompts that are permitted per-session:
Edit the |
| Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. |
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80665-3 References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000069-VMM-000360, RHEL-08-020110, SV-230357r833313_rule |
| Description | The pam_pwquality module's |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
|
Set Password Hashing Algorithm in /etc/login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80892-3 References: BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, RHEL-08-010110, SV-230231r627750_rule |
| Description | In ENCRYPT_METHOD SHA512 |
| Rationale | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
|
Set PAM''s Password Hashing Algorithm - password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85945-4 References: BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, SRG-OS-000480-VMM-002000, RHEL-08-010160, 5.4.4, SV-230237r809276_rule |
| Description | The PAM system service can be configured to only store encrypted
representations of passwords. In
password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
|
Set PAM''s Password Hashing Algorithm
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80893-1 References: BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, SRG-OS-000480-VMM-002000, RHEL-08-010159, 5.4.4, SV-244524r809331_rule |
| Description | The PAM system service can be configured to only store encrypted
representations of passwords. In "/etc/pam.d/system-auth", the
password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
|
Set Password Hashing Rounds in /etc/login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_min_rounds_logindefs:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-89707-4 References: CCI-000196, CCI-000803, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010130, SV-230233r809273_rule |
| Description | In SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if
they are kept in plain text.
|
SHA_CRYPT_MIN_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_default:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_default:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^\s*SHA_CRYPT_MIN_ROUNDS\s* | 1 |
SHA_CRYPT_MIN_ROUNDS is explicitly configured in /etc/login.defs and its value most be greater or equal to 5000 oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_present:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_present:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^\s*SHA_CRYPT_MIN_ROUNDS\s+(\d+)\s*$ | 1 |
SHA_CRYPT_MAX_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value oval:ssg-test_etc_login_defs_sha_crypt_max_rounds_default:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_max_rounds_default:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^\s*SHA_CRYPT_MAX_ROUNDS\s* | 1 |
SHA_CRYPT_MIN_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_default:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_default:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^\s*SHA_CRYPT_MIN_ROUNDS\s* | 1 |
SHA_CRYPT_MAX_ROUNDS is explicitly configured in /etc/login.defs and its value most be greater or equal to 5000 oval:ssg-test_etc_login_defs_sha_crypt_max_rounds_present:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_max_rounds_present:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\s*$ | 1 |
Ensure PAM Displays Last Logon/Access Notification
| Rule ID | xccdf_org.ssgproject.content_rule_display_login_attempts |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80788-3 References: 1, 12, 15, 16, 5.5.2, DSS05.04, DSS05.10, DSS06.10, CCI-000366, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0582, 0584, 05885, 0586, 0846, 0957, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9(1), CM-6(a), PR.AC-7, Req-10.2.4, SRG-OS-000480-GPOS-00227, RHEL-08-020340, SV-230381r627750_rule |
| Description | To configure the system to notify users of last logon/access
using session required pam_lastlog.so showfailedAnd make sure that the silent option is not set for
pam_lastlog module. |
| Rationale | Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. |
Install the tmux Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tmux_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80644-8 References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000058, CCI-000056, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009, SRG-OS-000030-VMM-000110, RHEL-08-020039, SV-244537r743860_rule |
| Description | To enable console screen locking, install the $ tmuxThe console can now be locked with the following key combination: ctrl+b :lock-session |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
|
Support session locking with tmux
| Rule ID | xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82266-8 References: CCI-000056, CCI-000058, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000031-GPOS-00012, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020041, SV-230349r833388_rule |
| Description | The |
| Rationale | Unlike |
Configure tmux to lock session after inactivity
| Rule ID | xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82199-1 References: CCI-000057, CCI-000060, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, RHEL-08-020070, SV-230353r627750_rule |
| Description | To enable console screen locking in |
| Rationale | Locking the session after a period of inactivity limits the potential exposure if the session is left unattended. |
Configure the tmux Lock Command
| Rule ID | xccdf_org.ssgproject.content_rule_configure_tmux_lock_command |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80940-0 References: CCI-000056, CCI-000058, AC-11(a), AC-11(b), CM-6(a), FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000028-VMM-000090, SRG-OS-000030-VMM-000110, RHEL-08-020040, SV-230348r743987_rule |
| Description | To enable console screen locking in set -g lock-command vlock. The console can now be locked with the following key combination: ctrl+b :lock-session |
| Rationale | The |
Prevent user from disabling the screen lock
| Rule ID | xccdf_org.ssgproject.content_rule_no_tmux_in_shells |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82361-7 References: CCI-000056, CCI-000058, CM-6, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000324-GPOS-00125, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, RHEL-08-020042, SV-230350r627750_rule |
| Description | The |
| Rationale | Not listing |
Install the opensc Package For Multifactor Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_package_opensc_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80846-9 References: CCI-001954, CCI-001953, 1382, 1384, 1386, CM-6(a), SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000376-VMM-001520, RHEL-08-010410, SV-230275r627750_rule |
| Description |
The $ sudo yum install opensc |
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
|
Install Smart Card Packages For Multifactor Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_install_smartcard_packages |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84029-8 References: CCI-000765, CCI-001948, CCI-001953, CCI-001954, CM-6(a), SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000377-GPOS-00162, RHEL-08-010390, SV-230273r743943_rule |
| Description | Configure the operating system to implement multifactor authentication by
installing the required package with the following command:
The $ sudo yum install openssl-pkcs11 |
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
|
Disable debug-shell SystemD Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80876-6 References: 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040180, SV-230532r627750_rule |
| Description | SystemD's $ sudo systemctl mask --now debug-shell.service |
| Rationale | This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. |
Disable Ctrl-Alt-Del Burst Action
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80784-2 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040172, SV-230531r627750_rule |
| Description | By default, CtrlAltDelBurstAction=none |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
| Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3. |
Disable Ctrl-Alt-Del Reboot Activation
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80785-9 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, RHEL-08-040170, SV-230529r833338_rule |
| Description | By default, ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.targetor systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates. |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. |
Require Authentication for Emergency Systemd Target
| Rule ID | xccdf_org.ssgproject.content_rule_require_emergency_target_auth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82186-8 References: 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010152, 1.4.3, SV-244523r743818_rule |
| Description | Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
|
| Rationale | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. |
Require Authentication for Single User Mode
Set Account Expiration Following Inactivity
| Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80954-1 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, SRG-OS-000003-VMM-000030, SRG-OS-000118-VMM-000590, RHEL-08-020260, 5.6.1.4, SV-230373r627750_rule |
| Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in INACTIVE=35If a password is currently on the verge of expiration, then 35
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus 35 day(s) could
elapse until the account would be automatically disabled. See the
useradd man page for more information. |
| Rationale | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. |
Assign Expiration Date to Emergency Accounts
| Rule ID | xccdf_org.ssgproject.content_rule_account_emergency_expire_date |
| Result | notchecked |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85910-8 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, CCI-000016, CCI-001682, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(2), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000123-GPOS-00064, SRG-OS-000002-GPOS-00002, SRG-OS-000002-VMM-000020, SRG-OS-000123-VMM-000620, RHEL-08-020270, SV-230374r627750_rule |
| Description | Emergency accounts are privileged accounts established in response to
crisis situations where the need for rapid account activation is required.
In the event emergency accounts are required, configure the system to
terminate them after a documented time period. For every emergency account,
run the following command to set an expiration date on it, substituting
$ sudo chage -E YYYY-MM-DD ACCOUNT_NAME YYYY-MM-DD indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours. |
| Rationale | If emergency user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all emergency accounts
must be set upon account creation.
|
| Warnings | warning
Due to the unique requirements of each sysetem, automated
remediation is not available for this configuration check. |
Assign Expiration Date to Temporary Accounts
| Rule ID | xccdf_org.ssgproject.content_rule_account_temp_expire_date |
| Result | notchecked |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82474-8 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, CCI-000016, CCI-001682, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(2), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000123-GPOS-00064, SRG-OS-000002-GPOS-00002, SRG-OS-000002-VMM-000020, SRG-OS-000123-VMM-000620, RHEL-08-020000, SV-230331r627750_rule |
| Description | Temporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary accounts are required, configure the system to
terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on
it, substituting $ sudo chage -E YYYY-MM-DD USER YYYY-MM-DD indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours. |
| Rationale | If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
|
Set Password Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80647-1 References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, SRG-OS-000076-GPOS-00044, RHEL-08-020200, 5.6.1.1, SV-230366r646878_rule |
| Description | To specify password maximum age for new accounts,
edit the file PASS_MAX_DAYS 60A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 60. |
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
|
Set Password Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80648-9 References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000198, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000075-GPOS-00043, RHEL-08-020190, 5.6.1.2, SV-230365r627750_rule |
| Description | To specify password minimum age for new accounts,
edit the file PASS_MIN_DAYS 1A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is 1. |
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
|
Set Existing Passwords Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing |
| Result | notapplicable |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_set_max_life_existing:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82473-0 References: CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, SRG-OS-000076-VMM-000430, RHEL-08-020210, 5.6.1.1, SV-230367r627750_rule |
| Description | Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: $ sudo chage -M 60 USER |
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. |
Password maximum lifetime for existing accounts is at least the minimum. oval:ssg-test_password_max_life_existing:tst:1 not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_shadow_password_users_max_life_existing:obj:1 of type shadow_object
| Username |
|---|
| .* |
Password maximum life entry is at least a defined minimum oval:ssg-test_password_max_life_existing_minimum:tst:1 not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_shadow_password_users_max_life_existing:obj:1 of type shadow_object
| Username |
|---|
| .* |
Set Existing Passwords Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing |
| Result | notapplicable |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_set_min_life_existing:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82472-2 References: CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, SRG-OS-000075-VMM000420, RHEL-08-020180, 5.6.1.2, SV-230364r627750_rule |
| Description | Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: $ sudo chage -m 1 USER |
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. |
Password minimum lifetime for existing accounts is at least what is defined by policy. oval:ssg-test_password_min_life_existing:tst:1 not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_shadow_password_users_min_life_existing:obj:1 of type shadow_object
| Username |
|---|
| .* |
Password minimum life entry is at mosta defined maximum oval:ssg-test_password_min_life_existing_maximum:tst:1 not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_shadow_password_users_min_life_existing:obj:1 of type shadow_object
| Username |
|---|
| .* |
Verify All Account Password Hashes are Shadowed with SHA512
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512 |
| Result | notapplicable |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_all_shadowed_sha512:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83484-6 References: CCI-000196, CCI-000803, IA-5(1)(c), IA-5(1).1(v), IA-7, IA-7.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, RHEL-08-010120, SV-230232r627750_rule |
| Description | Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command: $ sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
If any interactive user password hash does not begin with $6,
this is a finding. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. |
password hashes are shadowed using sha512 oval:ssg-test_accounts_password_all_shadowed_sha512:tst:1 not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_all_shadowed_sha512:obj:1 of type shadow_object
| Username | Filter | Filter |
|---|---|---|
| .* | oval:ssg-state_accounts_password_all_shadowed_has_no_password:ste:1 | oval:ssg-state_accounts_password_all_shadowed_sha512:ste:1 |
Prevent Login to Accounts With Empty Password
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80841-0 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, SRG-OS-000480-GPOS-00227, RHEL-08-020331, SV-244540r743869_rule |
| Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
|
| Rationale | If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
Note that this rule is not applicable for systems running within a
container. Having user with empty password within a container is not
considered a risk, because it should not be possible to directly login into
a container anyway. |
Verify Only Root Has UID 0
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_no_uid_except_zero:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80649-7 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-040200, 6.2.8, SV-230534r627750_rule |
| Description | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
|
| Rationale | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. |
test that there are no accounts with UID 0 except root in the /etc/passwd file oval:ssg-test_accounts_no_uid_except_root:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/passwd | ^(?!root:)[^:]*:[^:]*:0 | 1 |
Ensure All Accounts on the System Have Unique User IDs
| Rule ID | xccdf_org.ssgproject.content_rule_account_unique_id |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-89903-9 References: CCI-000135, CCI-000764, CCI-000804, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020, RHEL-08-020240, 6.2.3, SV-230371r627750_rule |
| Description | Change user IDs (UIDs), or delete accounts, so each has a unique name. |
| Rationale | To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. |
| Warnings | warning
Automatic remediation of this control is not available due to unique requirements of each
system. |
Ensure the Default Bash Umask is Set Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_bashrc:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81036-6 References: BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, 5.6.5, SV-230385r792902_rule |
| Description | To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask 077 |
| Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_bashrc:tst:1 false
Following items have been found on the system:
| Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
|---|---|---|---|---|---|---|---|---|
| oval:ssg-var_etc_bashrc_umask_as_number:var:1 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
Ensure the Default C Shell Umask is Set Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_csh_cshrc:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81037-4 References: 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, SV-230385r792902_rule |
| Description | To ensure the default umask for users of the C shell is set properly,
add or correct the umask 077 |
| Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/csh.cshrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1 false
Following items have been found on the system:
| Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
|---|---|---|---|---|---|---|---|---|
| oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
Ensure the Default Umask is Set Correctly in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82888-9 References: BP28(R35), 11, 18, 3, 9, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-1, PR.IP-2, SRG-OS-000480-GPOS-00228, RHEL-08-020351, 5.6.5, SV-230383r627750_rule |
| Description | To ensure the default umask controlled by UMASK 077 |
| Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. |
Ensure the Default Umask is Set Correctly in /etc/profile
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_profile:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81035-8 References: BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, 5.6.5, SV-230385r792902_rule |
| Description | To ensure the default umask controlled by umask 077 |
| Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_profile:tst:1 false
Following items have been found on the system:
| Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
|---|---|---|---|---|---|---|---|---|
| oval:ssg-var_etc_profile_umask_as_number:var:1 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
Ensure the Default Umask is Set Correctly For Interactive Users
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_interactive_users:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84044-7 References: CCI-000366, CCI-001814, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00228, RHEL-08-020352, SV-230384r627750_rule |
| Description | Remove the |
| Rationale | The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. |
Umask must not be defined in user initialization files oval:ssg-test_accounts_umask_interactive_users:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_umask_interactive_users:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| There was a problem processing referenced variable (oval:ssg-var_accounts_umask_interactive_users_d | ^\..* | ^[\s]*umask\s* | 1 |
Ensure Home Directories are Created for New Users
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83789-8 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010760, SV-230324r627750_rule |
| Description | All local interactive user accounts, upon creation, should be assigned a home directory.
CREATE_HOME yes |
| Rationale | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. |
Ensure the Logon Failure Delay is Set Correctly in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84037-1 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00226, RHEL-08-020310, SV-230378r627750_rule |
| Description | To ensure the logon failure delay controlled by FAIL_DELAY 4 |
| Rationale | Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. |
Limit the Number of Concurrent Login Sessions Allowed Per User
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80955-8 References: 14, 15, 18, 9, 5.5.2.2, DSS01.05, DSS05.02, CCI-000054, 4.3.3.4, SR 3.1, SR 3.8, A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, AC-10, CM-6(a), PR.AC-5, SRG-OS-000027-GPOS-00008, SRG-OS-000027-VMM-000080, RHEL-08-020024, SV-230346r627750_rule |
| Description | Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in * hard maxlogins 10 |
| Rationale | Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. |
User Initialization Files Must Not Run World-Writable Programs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_dot_no_world_writable_programs:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84039-7 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010660, 6.2.12, SV-230309r627750_rule |
| Description | Set the mode on files being executed by the user initialization files with the following command: $ sudo chmod o-w FILE |
| Rationale | If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. |
Init files do not execute world-writable programs oval:ssg-test_accounts_user_dot_no_world_writable_programs:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_dot_no_world_writable_programs_init_files:obj:1 of type textfilecontent54_object
| Behaviors | Path | Filename | Pattern | Instance |
|---|---|---|---|---|
| (\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)There was a problem processing referenced variable (oval:ssg-var_accounts_user_dot_no_world_writabl | no value | 1 |
Ensure that Users Path Contains Only Local Directories
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only |
| Result | notchecked |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84040-5 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010690, SV-230317r792896_rule |
| Description | Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. |
| Rationale | The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). |
All Interactive Users Must Have A Home Directory Defined
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined |
| Result | notapplicable |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_interactive_home_directory_defined:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84036-3 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010720, SV-230320r627750_rule |
| Description | Assign home directories to all interactive users that currently do not
have a home directory assigned.
This rule checks if the home directory is properly defined in a folder which has
at least one parent folder, like "user" in "/home/user" or "/remote/users/user".
Therefore, this rule will report a finding for home directories like |
| Rationale | If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. |
All Interactive Users Have A Home Directory Defined oval:ssg-test_accounts_user_interactive_home_directory_defined:tst:1 not applicable
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_interactive_home_directory_defined_objects:obj:1 of type password_object
| Username | Filter |
|---|---|
| nobody | oval:ssg-state_accounts_user_interactive_home_directory_defined_uids:ste:1 |
All Interactive Users Home Directories Must Exist
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_interactive_home_directory_exists:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83424-2 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010750, 6.2.9, SV-230323r627750_rule |
| Description | Create home directories to all interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in $ sudo mkdir /home/USER |
| Rationale | If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. |
Check the existence of interactive users. oval:ssg-test_accounts_user_interactive_home_directory_exists:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_interactive_home_directory_exists_dirs_count_fs:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:1 |
Check the existence of interactive users. oval:ssg-test_accounts_user_interactive_home_directory_exists_users:tst:1 false
Following items have been found on the system:
| Var ref |
|---|
| oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:1 |
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_users_home_files_groupownership:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86534-5 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010741, SV-244532r743845_rule |
| Description | Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: $ sudo chgrp USER_GROUP /home/USER/FILE_DIRThis rule ensures every file or directory under the home directory related to an interactive user is group-owned by an interactive user. |
| Rationale | If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. |
| Warnings | warning
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the group-ownership
of folders or files in their respective home directories. |
All home directories files are group-owned by a local interactive user oval:ssg-test_accounts_users_home_files_groupownership:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_users_home_files_groupownership_dirs:obj:1 of type file_object
| Behaviors | Path | Filename |
|---|---|---|
| There was a problem processing referenced variable (oval:ssg-var_accounts_users_home_files_groupown | no value | .* |
All Interactive User Home Directories Must Be Group-Owned By The Primary User
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_home_directories |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupownership_home_directories:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83434-1 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010740, 6.2.10, SV-230322r743963_rule |
| Description | Change the group owner of interactive users home directory to the
group found in $ sudo chgrp USER_GROUP /home/USERThis rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory. |
| Rationale | If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. |
| Warnings | warning
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the group-ownership
of their respective home directories. |
All home directories are group-owned by a local interactive group oval:ssg-test_file_groupownership_home_directories:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_home_directories_dirs:obj:1 of type file_object
| Path | Filename |
|---|---|
| There was a problem processing referenced variable (oval:ssg-var_file_groupownership_home_directori | no value |
Enable authselect
| Rule ID | xccdf_org.ssgproject.content_rule_enable_authselect |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-enable_authselect:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-88248-0 References: BP28(R5), CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-3, FIA_UAU.1, FIA_AFL.1, SRG-OS-000480-GPOS-00227, 1.2.3 |
| Description | Configure user authentication setup to use the |
| Rationale | Authselect is a successor to authconfig. It is a tool to select system authentication and identity sources from a list of supported profiles instead of letting the administrator manually build the PAM stack. That way, it avoids potential breakage of configuration, as it ships several tested profiles that are well tested and supported to solve different use-cases. |
| Warnings | warning
If the sudo authselect select command returns an error informing that the chosen
profile cannot be selected, it is probably because PAM files have already been modified by
the administrator. If this is the case, in order to not overwrite the desired changes made
by the administrator, the current PAM settings should be investigated before forcing the
selection of the chosen authselect profile. |
The 'fingerprint-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_fingerprint_symlinked_to_authselect:obj:1 of type symlink_object
| Filepath |
|---|
| /etc/pam.d/fingerprint-auth |
The 'password-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_password_symlinked_to_authselect:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_password_symlinked_to_authselect:obj:1 of type symlink_object
| Filepath |
|---|
| /etc/pam.d/password-auth |
The 'postlogin' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_postlogin_symlinked_to_authselect:obj:1 of type symlink_object
| Filepath |
|---|
| /etc/pam.d/postlogin |
The 'smartcard-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_smartcard_symlinked_to_authselect:obj:1 of type symlink_object
| Filepath |
|---|
| /etc/pam.d/smartcard-auth |
The 'system-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_system_symlinked_to_authselect:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_system_symlinked_to_authselect:obj:1 of type symlink_object
| Filepath |
|---|
| /etc/pam.d/system-auth |
Record Events that Modify the System's Discretionary Access Controls - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80685-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80686-9 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80687-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80688-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80689-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80690-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80691-9 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80692-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80693-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80694-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80695-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80696-8 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80697-6 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Any Attempts to Run chacl
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-89446-9 References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, RHEL-08-030570, SV-230464r627750_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). |
Record Any Attempts to Run setfacl
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-88437-9 References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030330, SV-230435r627750_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). |
Record Any Attempts to Run chcon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80698-4 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850, RHEL-08-030260, SV-230419r627750_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Record Any Attempts to Run semanage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80700-8 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850, RHEL-08-030313, SV-230429r627750_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Record Any Attempts to Run setfiles
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82280-9 References: CCI-000169, CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850, RHEL-08-030314, SV-230430r627750_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Record Any Attempts to Run setsebool
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80701-6 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000463-VMM-001850, RHEL-08-030316, SV-230432r627750_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects File Deletion Events by User - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80703-2 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80704-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - rmdir
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80705-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.14, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80706-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80707-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. |
Record Unsuccessful Access Attempts to Files - creat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80751-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessful Access Attempts to Files - ftruncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80752-9 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessful Access Attempts to Files - open
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80753-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessful Access Attempts to Files - open_by_handle_at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80755-2 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.10, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessful Access Attempts to Files - openat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80754-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessful Access Attempts to Files - truncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80756-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80711-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000477-VMM-001970, RHEL-08-030390, 4.1.3.19, SV-230446r627750_rule |
| Description | To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80712-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000477-VMM-001970, RHEL-08-030360, 4.1.15, SV-230438r810464_rule |
| Description | If the -a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modulesIf the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules |
| Rationale | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
Ensure auditd Collects Information on Kernel Module Loading - init_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80713-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000477-VMM-001970, RHEL-08-030360, 4.1.3.19, SV-230438r810464_rule |
| Description | To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
Record Attempts to Alter Logon and Logout Events - lastlog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80719-8 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214, SRG-OS-000473-VMM-001930, SRG-OS-000470-VMM-001900, RHEL-08-030600, 4.1.3.12, SV-230467r627750_rule |
| Description | The audit system already collects login information for all users
and root. If the -w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
Ensure auditd Collects Information on the Use of Privileged Commands - chage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80725-5 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030250, SV-230418r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80726-3 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030410, SV-230448r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80727-1 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030400, SV-230447r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80728-9 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030370, SV-230444r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - kmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-89455-0 References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv)AU-12(c), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, RHEL-08-030580, SV-230465r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). |
Ensure auditd Collects Information on the Use of Privileged Commands - mount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80989-7 References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030300, SV-230423r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80729-7 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030350, SV-230437r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80731-3 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030290, SV-230422r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80732-1 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030311, SV-230427r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80733-9 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030312, SV-230428r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Record Any Attempts to Run ssh-agent
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85944-7 References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030280, SV-230421r627750_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agentIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent |
| Rationale | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). |
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80735-4 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030320, SV-230434r744002_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - su
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80736-2 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000471-VMM-001910, RHEL-08-030190, SV-230412r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80737-0 References: BP28(R19), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000471-VMM-001910, RHEL-08-030550, SV-230462r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - umount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80739-6 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030301, SV-230424r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80740-4 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5, AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030317, SV-230433r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-89480-8 References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030310, SV-230426r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80741-2 References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-VMM-001910, RHEL-08-030315, SV-230431r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Ensure auditd Collects Information on the Use of Privileged Commands - usermod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86027-0 References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, RHEL-08-030560, SV-230463r627750_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
|
Make the auditd Configuration Immutable
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80708-1 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, CCI-000163, CCI-000164, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, RHEL-08-030121, 4.1.3.20, SV-230402r627750_rule |
| Description | If the -e 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2With this setting, a reboot will be required to change any audit rules. |
| Rationale | Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation. |
Ensure auditd Collects Information on Exporting to Media (successful)
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_media_export |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80722-2 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030302, 4.1.3.10, SV-230425r627750_rule |
| Description | At a minimum, the audit system should collect media exportation
events for all users and root. If the -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=exportIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export |
| Rationale | The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. |
Ensure auditd Collects System Administrator Actions - /etc/sudoers
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sudoers |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-90175-1 References: CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030171, SV-230409r627750_rule |
| Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the -w /etc/sudoers -p wa -k actionsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions |
| Rationale | The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. |
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-89497-2 References: CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, RHEL-08-030172, SV-230410r627750_rule |
| Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the -w /etc/sudoers.d/ -p wa -k actionsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers.d/ -p wa -k actions |
| Rationale | The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. |
Record Events When Privileged Executables Are Run
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83556-1 References: CCI-001814, CCI-001882, CCI-001889, CCI-001880, CCI-001881, CCI-001878, CCI-001879, CCI-001875, CCI-001877, CCI-001914, CCI-002233, CCI-002234, CM-5(1), AU-7(a), AU-7(b), AU-8(b), AU-12(3), AC-6(9), SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, RHEL-08-030000, SV-230386r627750_rule |
| Description | Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run the following command: $ sudo grep execve /etc/audit/audit.rulesIf audit is using the "augenrules" tool to load the rules, run the following command: $ sudo grep -r execve /etc/audit/rules.d -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgidIf both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. |
Record Events that Modify User/Group Information - /etc/group
Record Events that Modify User/Group Information - /etc/gshadow
Record Events that Modify User/Group Information - /etc/security/opasswd
Record Events that Modify User/Group Information - /etc/passwd
Record Events that Modify User/Group Information - /etc/shadow
System Audit Directories Must Be Group Owned By Root
| Rule ID | xccdf_org.ssgproject.content_rule_directory_group_ownership_var_log_audit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-88225-8 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030110, SV-230400r627750_rule |
| Description | All audit directories must be group owned by root user. By default, the path for audit log is /var/log/audit/. To properly set the group owner of /var/log/audit, run the command:
$ sudo chgrp root /var/log/auditIf log_group in /etc/audit/auditd.conf is set to a group other than the root
group account, change the group ownership of the audit directories to this specific group. |
| Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. |
System Audit Directories Must Be Owned By Root
System Audit Logs Must Be Group Owned By Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-88227-4 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030090, SV-230398r627750_rule |
| Description | All audit logs must be group owned by root user. The path for audit log can
be configured via /etc/audit/auditd.confor, by default, the path for audit log is /var/log/audit/. To properly set the group owner of /var/log/audit/*, run the command:
$ sudo chgrp root /var/log/audit/*If log_group in /etc/audit/auditd.conf is set to a group other
than the root group account, change the group ownership of the audit logs
to this specific group. |
| Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. |
System Audit Logs Must Be Owned By Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-88228-2 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, RHEL-08-030080, SV-230397r627750_rule |
| Description | All audit logs must be owned by root user. The path for audit log can be
configured via /etc/audit/auditd.confor by default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* |
| Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. |
Configure a Sufficiently Large Partition for Audit Logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84005-8 References: CCI-001849, SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133, RHEL-08-030660, SV-230476r809313_rule |
| Description | The Red Hat Enterprise Linux 8 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.logCheck the size of the partition that audit records are written to with the following command: $ sudo df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit |
| Rationale | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. |
Configure auditd Disk Error Action on Disk Error
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84046-2 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, RHEL-08-030040, SV-230390r627750_rule |
| Description | The disk_error_action = ACTIONSet this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec, single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. |
Configure auditd Disk Full Action when Disk Space Is Full
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84045-4 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, RHEL-08-030060, SV-230392r627750_rule |
| Description | The disk_full_action = ACTIONSet this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec,
single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. |
Configure auditd mail_acct Action on Low Disk Space
Configure auditd space_left Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80684-4 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240, RHEL-08-030731, 4.1.2.3, SV-244543r743878_rule |
| Description | The space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt. |
| Rationale | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. |
Configure auditd space_left on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86055-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-001855, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240, RHEL-08-030730, SV-230483r744014_rule |
| Description | The space_left = PERCENTAGE%Set this value to at least 25 to cause the system to notify the user of an issue. |
| Rationale | Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. |
Include Local Events in Audit Logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_local_events |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82233-8 References: CCI-000366, CM-6, FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227, RHEL-08-030061, SV-230393r627750_rule |
| Description | To configure Audit daemon to include local events in Audit logs, set
|
| Rationale | If option |
Resolve information before writing to audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_log_format |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82201-5 References: CCI-000366, CM-6, AU-3, FAU_GEN.1.2, SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227, RHEL-08-030063, SV-230395r627750_rule |
| Description | To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set |
| Rationale | If option |
Set hostname as computer node name in audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_name_format |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82897-0 References: CCI-001851, CM-6, AU-3, FAU_GEN.1.2, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030062, SV-230394r627750_rule |
| Description | To configure Audit daemon to use value returned by gethostname
syscall as computer node name in the audit events,
set |
| Rationale | If option |
Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_overflow_action |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85889-4 References: CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030700, SV-230480r627750_rule |
| Description | The audit system should have an action setup in the event the internal event queue becomes full.
To setup an overflow action edit |
| Rationale | The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. |
Configure immutable Audit login UIDs
| Rule ID | xccdf_org.ssgproject.content_rule_audit_immutable_login_uids |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82828-5 References: CCI-000162, CCI-000163, CCI-000164, AU-2(a), FAU_GEN.1.2, SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, RHEL-08-030122, SV-230403r627750_rule |
| Description | Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. The following rules configure audit as described above: ## Make the loginuid immutable. This prevents tampering with the auid. --loginuid-immutableLoad new Audit rules into kernel by running: augenrules --load |
| Rationale | If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. |
Ensure the audit Subsystem is Installed
Enable auditd Service
Enable Auditing for Processes Which Start Prior to the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80825-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095, SRG-OS-000254-VMM-000880, RHEL-08-030601, 4.1.1.3, SV-230468r792904_rule |
| Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument GRUB_CMDLINE_LINUX="... audit=1 ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit=1" |
| Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although |
Extend Audit Backlog Limit for the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80943-4 References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001849, CCI-002884, CM-6(a), FAU_STG.1, FAU_STG.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030602, 4.1.1.4, SV-230469r792906_rule |
| Description | To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit_backlog_limit=8192" |
| Rationale | audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken. |
Set the Boot Loader Admin Username to a Non-Default Value
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_admin_username |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83561-1 References: BP28(R17), 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010149, SV-244522r792984_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL --env=/boot/grub2/grubenv |
| Rationale | Having a non-default grub superuser username makes password-guessing attacks less effective. |
| Warnings | warning
To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Set Boot Loader Password in grub2
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_password |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80828-7 References: BP28(R17), 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010150, 1.4.1, SV-230235r743925_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
# grub2-setpasswordWhen prompted, enter the password that was selected. |
| Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Set the UEFI Boot Loader Admin Username to a Non-Default Value
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83542-1 References: BP28(R17), 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010141, SV-244521r792982_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL --env=/boot/grub2/grubenv |
| Rationale | Having a non-default grub superuser username makes password-guessing attacks less effective. |
| Warnings | warning
To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Set the UEFI Boot Loader Password
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_password |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80829-5 References: BP28(R17), 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010140, 1.4.1, SV-230234r743922_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
# grub2-setpasswordWhen prompted, enter the password that was selected. |
| Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Enable Kernel Page-Table Isolation (KPTI)
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_pti_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82194-2 References: CCI-000381, SI-16, SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049, RHEL-08-040004, SV-230491r818842_rule |
| Description | To enable Kernel page-table isolation,
add the argument GRUB_CMDLINE_LINUX="... pti=on ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="pti=on" |
| Rationale | Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). |
Disable vsyscalls
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80946-7 References: CCI-001084, CM-7(a), FPT_ASLR_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, RHEL-08-010422, SV-230278r792886_rule |
| Description | To disable use of virtual syscalls,
add the argument GRUB_CMDLINE_LINUX="... vsyscall=none ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="vsyscall=none" |
| Rationale | Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. |
Ensure cron Is Logging To Rsyslog
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_cron_logging |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80859-2 References: 1, 14, 15, 16, 3, 5, 6, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-000366, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, 0988, 1405, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.15.2.1, A.15.2.2, CM-6(a), ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227, RHEL-08-030010, SV-230387r743996_rule |
| Description | Cron logging must be implemented to spot intrusions or trace
cron job status. If cron.* /var/log/cron |
| Rationale | Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. |
Ensure Rsyslog Authenticates Off-Loaded Audit Records
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86339-9 References: CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030720, SV-230482r627750_rule |
| Description | Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging. Couple this utility with |
| Rationale | The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. |
Ensure Rsyslog Encrypts Off-Loaded Audit Records
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86098-1 References: CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030710, SV-230481r818840_rule |
| Description | Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging. Couple this utility with |
| Rationale | The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. |
Ensure Rsyslog Encrypts Off-Loaded Audit Records
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85992-6 References: CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, RHEL-08-030710, SV-230481r818840_rule |
| Description | Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging. Couple this utility with |
| Rationale | The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. |
Ensure remote access methods are monitored in Rsyslog
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83426-7 References: CCI-000067, AC-17(1), SRG-OS-000032-GPOS-00013, RHEL-08-010070, SV-230228r627750_rule |
| Description | Logging of remote access methods must be implemented to help identify cyber
attacks and ensure ongoing compliance with remote access policies are being
audited and upheld. An examples of a remote access method is the use of the
Remote Desktop Protocol (RDP) from an external, non-organization controlled
network. The auth.*;authpriv.*;daemon.* /var/log/secure |
| Rationale | Logging remote access methods can be used to trace the decrease the risks associated with remote user access management. It can also be used to spot cyber attacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods. |
Ensure Logs Sent To Remote Host
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80863-4 References: BP28(R7), NT28(R43), NT12(R5), 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, 0988, 1405, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, CIP-003-8 R5.2, CIP-004-6 R3.3, CM-6(a), AU-4(1), AU-9(2), PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, SRG-OS-000032-VMM-000130, RHEL-08-030690, 4.2.1.6, SV-230479r627750_rule |
| Description | To configure rsyslog to send logs to a remote log server,
open *.* @logcollector To use TCP for log message delivery: *.* @@logcollector To use RELP for log message delivery: *.* :omrelp:logcollector There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility. |
| Rationale | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. |
| Warnings | warning
It is important to configure queues in case the client is sending log
messages to a remote server. If queues are not configured,
the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The
example configuration which should go into /etc/rsyslog.conf
can look like the following lines:
$ActionQueueType LinkedList $ActionQueueFileName queuefilename $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionResumeRetryCount -1 |
Ensure rsyslog-gnutls is installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82859-0 References: BP28(R43), CCI-000366, FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061, RHEL-08-030680, SV-230478r744011_rule |
| Description | TLS protocol support for rsyslog is installed.
The $ sudo yum install rsyslog-gnutls |
| Rationale | The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging. |
Ensure rsyslog is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80847-7 References: BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, RHEL-08-030670, 4.2.1.1, SV-230477r627750_rule |
| Description | Rsyslog is installed by default. The $ sudo yum install rsyslog |
| Rationale | The rsyslog package provides the rsyslog daemon, which provides system logging services. |
Enable rsyslog Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80886-5 References: BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, RHEL-08-010561, 4.2.1.2, SV-230298r627750_rule |
| Description | The $ sudo systemctl enable rsyslog.service |
| Rationale | The |
Install firewalld Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_firewalld_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82998-6 References: CCI-002314, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232, RHEL-08-040100, 3.4.1.1, SV-230505r744020_rule |
| Description | The $ sudo yum install firewalld |
| Rationale | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Red Hat Enterprise Linux 8 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)." |
Verify firewalld Enabled
| Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80877-4 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, CCI-000382, CCI-002314, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, RHEL-08-040101, 3.4.1.4, SV-244544r743881_rule |
| Description |
The $ sudo systemctl enable firewalld.service |
| Rationale | Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. |
Configure the Firewalld Ports
| Rule ID | xccdf_org.ssgproject.content_rule_configure_firewalld_ports |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84300-3 References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000382, CCI-002314, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1416, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000096-VMM-000490, SRG-OS-000480-VMM-002000, RHEL-08-040030, SV-230500r627750_rule |
| Description | Configure the firewall-cmd --permanent --add-port=port_number/tcpTo configure firewalld to allow access for pre-defined services, run the following
command:
firewall-cmd --permanent --add-service=service_name |
| Rationale | In order to prevent unauthorized connection of devices, unauthorized transfer of information,
or unauthorized tunneling (i.e., embedding of data types within data types), organizations must
disable or restrict unused or unnecessary physical and logical ports/protocols on information
systems.
|
Configure Accepting Router Advertisements on All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81006-9 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040261, 3.3.9, SV-230541r833351_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0 |
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
Disable Accepting ICMP Redirects for All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81009-3 References: BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040280, 3.3.2, SV-230544r833357_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0 |
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81013-5 References: BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040240, 3.3.1, SV-230538r833346_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
|
Disable Kernel Parameter for IPv6 Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82863-2 References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040260, 3.2.1, SV-230540r833349_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.forwarding=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0 |
| Rationale | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. |
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81007-7 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040262, 3.3.9, SV-230542r833353_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0 |
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81010-1 References: BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040210, 3.3.2, SV-230535r833340_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 |
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81015-0 References: BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040250, 3.3.1, SV-230539r838722_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
Disable Accepting ICMP Redirects for All IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80917-8 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040279, 3.3.2, SV-244553r833379_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
|
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81011-9 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040239, 3.3.1, SV-244551r833375_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
|
Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86220-1 References: CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040259, SV-250317r833383_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.forwarding=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.forwarding = 0 |
| Rationale | IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. |
| Warnings | warning
There might be cases when certain applications can systematically override this option.
One such case is Libvirt; a toolkit for managing of virtualization platforms.
By default, Libvirt requires IP forwarding to be enabled to facilitate
network communication between the virtualization host and guest
machines. It enables IP forwarding after every reboot. |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81021-8 References: BP28(R22), 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040285, 3.3.7, SV-230549r833367_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1 |
| Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80919-4 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040209, 3.3.2, SV-244550r833373_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
|
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80920-2 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040249, 3.3.1, SV-244552r833377_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
|
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80922-8 References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040230, 3.3.5, SV-230537r833344_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1 |
| Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
|
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80918-6 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040220, 3.2.2, SV-230536r833342_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
|
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80921-0 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040270, 3.2.2, SV-230543r833355_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
|
Disable ATM Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82028-2 References: CCI-000381, CCI-000366, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040021, SV-230494r792911_rule |
| Description | The Asynchronous Transfer Mode (ATM) is a protocol operating on
network, data link, and physical layers, based on virtual circuits
and virtual paths.
To configure the system to prevent the install atm /bin/trueTo configure the system to prevent the atm from being used,
add the following line to file /etc/modprobe.d/atm.conf:
blacklist atm |
| Rationale | Disabling ATM protects the system against exploitation of any flaws in its implementation. |
Disable CAN Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_can_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82059-7 References: CCI-000381, CCI-000366, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040022, SV-230495r792914_rule |
| Description | The Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.
To configure the system to prevent the install can /bin/trueTo configure the system to prevent the can from being used,
add the following line to file /etc/modprobe.d/can.conf:
blacklist can |
| Rationale | Disabling CAN protects the system against exploitation of any flaws in its implementation. |
Disable IEEE 1394 (FireWire) Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82005-0 References: CCI-000381, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040026, SV-230499r792924_rule |
| Description | The IEEE 1394 (FireWire) is a serial bus standard for
high-speed real-time communication.
To configure the system to prevent the install firewire-core /bin/trueTo configure the system to prevent the firewire-core from being used,
add the following line to file /etc/modprobe.d/firewire-core.conf:
blacklist firewire-core |
| Rationale | Disabling FireWire protects the system against exploitation of any flaws in its implementation. |
Disable SCTP Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80834-5 References: 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040023, 3.1.2, SV-230496r792917_rule |
| Description | The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the install sctp /bin/trueTo configure the system to prevent the sctp from being used,
add the following line to file /etc/modprobe.d/sctp.conf:
blacklist sctp |
| Rationale | Disabling SCTP protects the system against exploitation of any flaws in its implementation. |
Disable TIPC Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82297-3 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, RHEL-08-040024, SV-230497r792920_rule |
| Description | The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the install tipc /bin/trueTo configure the system to prevent the tipc from being used,
add the following line to file /etc/modprobe.d/tipc.conf:
blacklist tipc |
| Rationale | Disabling TIPC protects the system against exploitation of any flaws in its implementation. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. |
Disable Bluetooth Kernel Module
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80832-9 References: 11, 12, 14, 15, 3, 8, 9, 5.13.1.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001443, CCI-001444, CCI-001551, CCI-002418, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118, RHEL-08-040111, SV-230507r833336_rule |
| Description | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate install bluetooth /bin/true |
| Rationale | If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. |
Deactivate Wireless Network Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_interfaces |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83501-7 References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-002418, CCI-002421, CCI-001443, CCI-001444, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1315, 1319, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-000481, RHEL-08-040110, 3.1.4, SV-230506r627750_rule |
| Description | Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
$ sudo nmcli radio all off |
| Rationale | The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. |
Configure Multiple DNS Servers in /etc/resolv.conf
| Rule ID | xccdf_org.ssgproject.content_rule_network_configure_name_resolution |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-network_configure_name_resolution:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84049-6 References: 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, SC-20(a), CM-6(a), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010680, SV-230316r627750_rule |
| Description | Determine whether the system is using local or DNS name resolution with the following command: $ sudo grep hosts /etc/nsswitch.conf hosts: files dnsIf the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. Verify the "/etc/resolv.conf" file is empty with the following command: $ sudo ls -al /etc/resolv.conf -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.confIf the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, then verify the following: Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services
in the event that a domain server crashes. To configure the system to contain
as least 2 DNS servers, add a corresponding nameserver
ip_address entry in /etc/resolv.conf for each DNS
server where ip_address is the IP address of a valid DNS server.
For example:
search example.com nameserver 192.168.0.1 nameserver 192.168.0.2 |
| Rationale | To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. |
check if dns is set in host line in /etc/nsswitch.conf oval:ssg-test_host_line_dns_parameter_nsswitch:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/nsswitch.conf | hosts: files dns myhostname |
check if more than one nameserver in /etc/resolv.conf oval:ssg-test_network_configure_name_resolution:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_network_configure_name_resolution:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/resolv.conf | ^[\s]*nameserver[\s]+([0-9\.]+)$ | 1 |
check if dns is set in host line in /etc/nsswitch.conf oval:ssg-test_host_line_dns_parameter_nsswitch:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/nsswitch.conf | hosts: files dns myhostname |
check if /etc/resolv.conf is empty oval:ssg-test_file_empty_resolv:tst:1 false
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/resolv.conf | regular | 0 | 0 | 55 | rw-r--r-- |
Ensure System is Not Acting as a Network Sniffer
| Rule ID | xccdf_org.ssgproject.content_rule_network_sniffer_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82283-3 References: 1, 11, 14, 3, 9, APO11.06, APO12.06, BAI03.10, BAI09.01, BAI09.02, BAI09.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS04.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.2.3.4, 4.3.3.3.7, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, SR 7.8, A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.16.1.6, A.8.1.1, A.8.1.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-7(2), MA-3, DE.DP-5, ID.AM-1, PR.IP-1, PR.MA-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040330, SV-230554r627750_rule |
| Description | The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: $ ip link | grep PROMISCPromiscuous mode of an interface can be disabled with the following command: $ sudo ip link set dev |
| Rationale | Network interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.
|
Verify Group Who Owns /var/log Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_var_log |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_var_log:def:1 |
| Time | 2022-11-10T23:33:59 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83659-3 References: CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010260, SV-230250r627750_rule |
| Description | To properly set the group owner of $ sudo chgrp root /var/log |
| Rationale | The |
Testing group ownership of /var/log/ oval:ssg-test_file_groupowner_var_log_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_var_log_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /var/log | no value | oval:ssg-symlink_file_groupowner_var_log_uid_0:ste:1 | oval:ssg-state_file_groupowner_var_log_gid_0_0:ste:1 |
Verify User Who Owns /var/log Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_var_log |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_var_log:def:1 |
| Time | 2022-11-10T23:33:59 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83661-9 References: CCI-001314, SRG-OS-000206-GPOS-00084, RHEL-08-010250, SV-230249r627750_rule |
| Description | To properly set the owner of $ sudo chown root /var/log |
| Rationale | The |
Testing user ownership of /var/log/ oval:ssg-test_file_owner_var_log_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_var_log_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /var/log | no value | oval:ssg-symlink_file_owner_var_log_uid_0:ste:1 | oval:ssg-state_file_owner_var_log_uid_0_0:ste:1 |
Verify that Shared Library Directories Have Root Group Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_group_ownership_library_dirs:def:1 |
| Time | 2022-11-10T23:33:59 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85894-4 References: CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010351, SV-251709r810014_rule |
| Description | System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be
group-owned by the root user. If the directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chgrp root DIR |
| Rationale | Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. |
Testing group ownership of /lib/ oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_0:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib | no value | oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_0:ste:1 |
Testing group ownership of /lib64/ oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_1:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_1:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib64 | no value | oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_1:ste:1 |
Testing group ownership of /usr/lib/ oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_2:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_2:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib | no value | oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_2:ste:1 |
Testing group ownership of /usr/lib64/ oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_3:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_3:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib64 | no value | oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_3:ste:1 |
Verify that Shared Library Directories Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_ownership_library_dirs:def:1 |
| Time | 2022-11-10T23:33:59 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-89021-0 References: CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010341, SV-251708r810012_rule |
| Description | System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be
owned by the root user. If the directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chown root DIR |
| Rationale | Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. |
Testing user ownership of /lib/ oval:ssg-test_file_ownerdir_ownership_library_dirs_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_0:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib | no value | oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_0:ste:1 |
Testing user ownership of /lib64/ oval:ssg-test_file_ownerdir_ownership_library_dirs_1:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_1:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib64 | no value | oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_1:ste:1 |
Testing user ownership of /usr/lib/ oval:ssg-test_file_ownerdir_ownership_library_dirs_2:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_2:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib | no value | oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_2:ste:1 |
Testing user ownership of /usr/lib64/ oval:ssg-test_file_ownerdir_ownership_library_dirs_3:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_3:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib64 | no value | oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_3:ste:1 |
Verify that system commands files are group owned by root or a system account
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupownership_system_commands_dirs:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86519-6 References: CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, RHEL-08-010320, SV-230259r792864_rule |
| Description | System commands files are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbinAll files in these directories should be owned by the root group,
or a system account.
If the directory, or any file in these directories, is found to be owned
by a group other than root or a a system account correct its ownership
with the following command:
$ sudo chgrp root FILE |
| Rationale | If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. |
system commands are owned by root or a system account oval:ssg-test_groupownership_system_commands_dirs:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_groupownership_system_commands_dirs:obj:1 of type file_object
| Path | Filename | Filter |
|---|---|---|
| ^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin | ^.*$ | oval:ssg-state_groupowner_system_commands_dirs_not_root_or_system_account:ste:1 |
Verify that System Executables Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_binary_dirs:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80806-3 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010310, SV-230258r627750_rule |
| Description | System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbinAll files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE |
| Rationale | System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. |
binary directories uid root oval:ssg-test_ownership_binary_directories:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_directories:obj:1 of type file_object
| Path | Filename | Filter |
|---|---|---|
| ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec | no value | oval:ssg-state_owner_binaries_not_root:ste:1 |
binary files uid root oval:ssg-test_ownership_binary_files:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_files:obj:1 of type file_object
| Path | Filename | Filter |
|---|---|---|
| ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec | ^.*$ | oval:ssg-state_owner_binaries_not_root:ste:1 |
Verify that Shared Library Files Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_library_dirs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_library_dirs:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80807-1 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, RHEL-08-010340, SV-230261r627750_rule |
| Description | System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE |
| Rationale | Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. |
Testing user ownership of /lib/ oval:ssg-test_file_ownership_library_dirs_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_0:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib | ^.*$ | oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownership_library_dirs_uid_0_0:ste:1 |
Testing user ownership of /lib64/ oval:ssg-test_file_ownership_library_dirs_1:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_1:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib64 | ^.*$ | oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownership_library_dirs_uid_0_1:ste:1 |
Testing user ownership of /usr/lib/ oval:ssg-test_file_ownership_library_dirs_2:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_2:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib | ^.*$ | oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownership_library_dirs_uid_0_2:ste:1 |
Testing user ownership of /usr/lib64/ oval:ssg-test_file_ownership_library_dirs_3:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_3:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib64 | ^.*$ | oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownership_library_dirs_uid_0_3:ste:1 |
Ensure All World-Writable Directories Are Owned by root user
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_root_owned:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83375-6 References: BP28(R40), CCI-000366, SRG-OS-000480-GPOS-00227, SRG-OS-000138-GPOS-00069, RHEL-08-010700, SV-230318r743960_rule |
| Description | All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files should be deleted or assigned to root user. |
| Rationale | Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. |
check for local directories that are world writable and have uid greater than 0 oval:ssg-test_dir_world_writable_uid_gt_zero:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-all_local_directories_uid_zero:obj:1 of type file_object
| Behaviors | Path | Filename | Filter |
|---|---|---|---|
| no value | / | no value | oval:ssg-state_uid_is_not_root_and_world_writable:ste:1 |
Verify that All World-Writable Directories Have Sticky Bits Set
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_sticky_bits:def:1 |
| Time | 2022-11-10T23:33:58 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80783-4 References: BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001090, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, RHEL-08-010190, 6.1.2, SV-230243r792857_rule |
| Description | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
$ sudo chmod +t DIR |
| Rationale | Failing to set the sticky bit on public directories allows unauthorized
users to delete files in the directory structure.
|
all local world-writable directories have sticky bit set oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_only_local_directories:obj:1 of type file_object
| Behaviors | Path | Filename | Filter |
|---|---|---|---|
| no value | / | no value | oval:ssg-state_world_writable_and_not_sticky:ste:1 |
Ensure All World-Writable Directories Are Group Owned by a System Account
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_system_owned_group:def:1 |
| Time | 2022-11-10T23:33:59 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85886-0 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010710, SV-230319r743961_rule |
| Description | All directories in local partitions which are world-writable should be group owned by root or another system account. If any world-writable directories are not group owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. |
| Rationale | Allowing a user account to group own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. |
check for local directories that are world writable and have gid greater than or equal to 1000 oval:ssg-test_dir_world_writable_gid_gt_value:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-all_local_directories_gid:obj:1 of type file_object
| Behaviors | Path | Filename | Filter |
|---|---|---|---|
| no value | / | no value | oval:ssg-state_gid_is_user_and_world_writable:ste:1 |
Ensure All Files Are Owned by a User
| Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:59 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83499-4 References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010780, 6.1.12, SV-230326r627750_rule |
| Description | If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. The following command will discover and print any files on local partitions which do not belong to a valid user: $ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
To search all filesystems on a system including network mounted
filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nouser |
| Rationale | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. |
| Warnings | warning
For this rule to evaluate centralized user accounts, getent must be working properly
so that running the command getent passwdreturns a list of all users in your organization. If using the System Security Services Daemon (SSSD), enumerate = truemust be configured in your organization's domain to return a complete list of users warning
Enabling this rule will result in slower scan times depending on the size of your organization
and number of centralized users. |
Enable Kernel Parameter to Enforce DAC on Hardlinks
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:59 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81027-5 References: BP28(R23), CCI-002165, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125, RHEL-08-010374, SV-230268r833294_rule |
| Description | To set the runtime status of the $ sudo sysctl -w fs.protected_hardlinks=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1 |
| Rationale | By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of |
Enable Kernel Parameter to Enforce DAC on Symlinks
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:33:59 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81030-9 References: BP28(R23), CCI-002165, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125, RHEL-08-010373, SV-230267r833292_rule |
| Description | To set the runtime status of the $ sudo sysctl -w fs.protected_symlinks=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 |
| Rationale | By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
|
Disable the Automounter
| Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80873-3 References: 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040070, 1.1.9, SV-230502r627750_rule |
| Description | The $ sudo systemctl mask --now autofs.service |
| Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through |
Disable Mounting of cramfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-81031-7 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, RHEL-08-040025, 1.1.1.1, SV-230498r792922_rule |
| Description |
To configure the system to prevent the install cramfs /bin/trueTo configure the system to prevent the cramfs from being used,
add the following line to file /etc/modprobe.d/cramfs.conf:
blacklist cramfsThis effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image. |
| Rationale | Removing support for unneeded filesystem types reduces the local attack surface of the server. |
Disable Modprobe Loading of USB Storage Driver
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80835-2 References: 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040080, 1.1.10, SV-230503r809319_rule |
| Description | To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the install usb-storage /bin/trueTo configure the system to prevent the usb-storage from being used,
add the following line to file /etc/modprobe.d/usb-storage.conf:
blacklist usb-storageThis will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
| Rationale | USB storage devices such as thumb drives can be used to introduce malicious software. |
Add nosuid Option to /boot/efi
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86038-7 References: CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, RHEL-08-010572, SV-244530r809336_rule |
| Description | The |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions. |
Add nosuid Option to /boot
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81033-3 References: BP28(R12), CCI-000366, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010571, SV-230300r743959_rule |
| Description | The |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions. |
Add nodev Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80837-8 References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040120, 1.1.8.1, SV-230508r627750_rule |
| Description | The |
| Rationale | The only legitimate location for device files is the |
Add noexec Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80838-6 References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040122, 1.1.8.2, SV-230510r627750_rule |
| Description | The |
| Rationale | Allowing users to execute binaries from world-writable directories
such as |
Add nosuid Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80839-4 References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040121, 1.1.8.3, SV-230509r627750_rule |
| Description | The |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add noexec Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83328-5 References: BP28(R12), CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-010590, SV-230302r627750_rule |
| Description | The |
| Rationale | The |
Add nosuid Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81050-7 References: BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010570, 1.1.7.3, SV-230299r627750_rule |
| Description | The |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. |
Add nodev Option to Non-Root Local Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82069-6 References: BP28(R12), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010580, SV-230301r627750_rule |
| Description | The |
| Rationale | The |
Add nodev Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82742-8 References: 11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010600, 1.1.18, SV-230303r627750_rule |
| Description | The |
| Rationale | The only legitimate location for device files is the |
Add noexec Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82746-9 References: 11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000087, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010610, 1.1.20, SV-230304r627750_rule |
| Description | The |
| Rationale | Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. |
Add nosuid Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82744-4 References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010620, 1.1.19, SV-230305r627750_rule |
| Description | The |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. |
Add nodev Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82623-0 References: BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040123, 1.1.2.2, SV-230511r627750_rule |
| Description | The |
| Rationale | The only legitimate location for device files is the |
Add noexec Option to /tmp
Add nosuid Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82140-5 References: BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040124, 1.1.2.4, SV-230512r627750_rule |
| Description | The |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add nodev Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82080-3 References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040129, 1.1.6.3, SV-230517r627750_rule |
| Description | The |
| Rationale | The only legitimate location for device files is the |
Add noexec Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82975-4 References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040131, 1.1.6.2, SV-230519r627750_rule |
| Description | The |
| Rationale | Allowing users to execute binaries from directories containing audit log files
such as |
Add nosuid Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82921-8 References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040130, 1.1.6.4, SV-230518r627750_rule |
| Description | The |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files. |
Add nodev Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82077-9 References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040126, 1.1.5.2, SV-230514r627750_rule |
| Description | The |
| Rationale | The only legitimate location for device files is the |
Add noexec Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82008-4 References: BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040128, 1.1.5.3, SV-230516r627750_rule |
| Description | The |
| Rationale | Allowing users to execute binaries from directories containing log files
such as |
Add nosuid Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82065-4 References: BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040127, 1.1.5.4, SV-230515r627750_rule |
| Description | The |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files. |
Add nodev Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82068-8 References: BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040132, 1.1.4.4, SV-230520r792927_rule |
| Description | The |
| Rationale | The only legitimate location for device files is the |
Add noexec Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82151-2 References: BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040134, 1.1.4.2, SV-230522r792933_rule |
| Description | The |
| Rationale | Allowing users to execute binaries from world-writable directories
such as |
Add nosuid Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82154-6 References: BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040133, 1.1.4.3, SV-230521r792930_rule |
| Description | The |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Disable acquiring, saving, and processing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82881-4 References: CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010672, SV-230312r833308_rule |
| Description | The |
| Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
Disable core dump backtraces
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_backtraces |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_backtraces:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82251-0 References: CCI-000366, CM-6, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010675, 1.5.2, SV-230315r627750_rule |
| Description | The |
| Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_backtraces:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_backtraces:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable storing core dump
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_storage |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_storage:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82252-8 References: CCI-000366, CM-6, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010674, 1.5.1, SV-230314r627750_rule |
| Description | The |
| Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
tests the value of Storage setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_storage:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable Core Dumps for All Users
| Rule ID | xccdf_org.ssgproject.content_rule_disable_users_coredumps |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81038-2 References: 1, 12, 13, 15, 16, 2, 7, 8, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, CCI-000366, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.17.2.1, CM-6, SC-7(10), DE.CM-1, PR.DS-4, SRG-OS-000480-GPOS-00227, RHEL-08-010673, 1.6.1, SV-230313r627750_rule |
| Description | To disable core dumps for all users, add the following line to
* hard core 0 |
| Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
Restrict Exposed Kernel Pointer Addresses Access
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80915-2 References: BP28(R23), CCI-002824, CCI-000366, CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), SC-30(5), CM-6(a), SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227, RHEL-08-040283, SV-230547r833363_rule |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.kptr_restrict=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1 |
| Rationale | Exposing kernel pointers (through procfs or |
Enable Randomized Layout of Virtual Address Space
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80916-0 References: BP28(R23), 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, RHEL-08-010430, 1.5.3, SV-230280r833303_rule |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.randomize_va_space=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 |
| Rationale | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. |
Enable NX or XD Support in the BIOS
| Rule ID | xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83918-3 References: BP28(R9), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.7, CCI-002824, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, SC-39, CM-6(a), PR.IP-1, SRG-OS-000433-GPOS-00192, RHEL-08-010420, SV-230276r627750_rule |
| Description | Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. |
| Rationale | Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. |
Enable page allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_page_poison_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80944-2 References: CCI-001084, CM-6(a), SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, RHEL-08-010421, SV-230277r792884_rule |
| Description | To enable poisoning of free pages,
add the argument GRUB_CMDLINE_LINUX="... page_poison=1 ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="page_poison=1" |
| Rationale | Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. |
Enable SLUB/SLAB allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80945-9 References: CCI-001084, CM-6(a), SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068, RHEL-08-010423, SV-230279r792888_rule |
| Description | To enable poisoning of SLUB/SLAB objects,
add the argument GRUB_CMDLINE_LINUX="... slub_debug=P ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="slub_debug=P" |
| Rationale | Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. |
Disable storing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82215-5 References: CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010671, SV-230311r833305_rule |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.core_pattern=|/bin/falseTo make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_pattern = |/bin/false |
| Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. |
Restrict Access to Kernel Message Buffer
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80913-7 References: BP28(R23), 3.1.5, CCI-001090, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, RHEL-08-010375, SV-230269r833296_rule |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.dmesg_restrict=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 |
| Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel address information. |
Disable Kernel Image Loading
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80952-5 References: CCI-001749, CM-6, SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153, RHEL-08-010372, SV-230266r833290_rule |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.kexec_load_disabled=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 |
| Rationale | Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled. |
Disallow kernel profiling by unprivileged users
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-81054-9 References: BP28(R23), CCI-001090, AC-6, FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, RHEL-08-010376, SV-230270r833298_rule |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.perf_event_paranoid=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2 |
| Rationale | Kernel profiling can reveal sensitive information about kernel behaviour. |
Disable Access to Network bpf() Syscall From Unprivileged Processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82974-7 References: CCI-000366, AC-6, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, RHEL-08-040281, SV-230545r833359_rule |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1 |
| Rationale | Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state. |
Restrict usage of ptrace to descendant processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80953-3 References: BP28(R25), CCI-000366, SC-7(10), SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, RHEL-08-040282, SV-230546r833361_rule |
| Description | To set the runtime status of the $ sudo sysctl -w kernel.yama.ptrace_scope=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 |
| Rationale | Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing). |
Harden the operation of the BPF just-in-time compiler
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82934-1 References: CCI-000366, CM-6, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-040286, SV-244554r833381_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.core.bpf_jit_harden=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2 |
| Rationale | When hardened, the extended Berkeley Packet Filter just-in-time compiler
will randomize any kernel addresses in the BPF programs and maps,
and will not expose the JIT addresses in |
Disable the use of user namespaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82211-4 References: CCI-000366, SC-39, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-040284, SV-230548r833365_rule |
| Description | To set the runtime status of the $ sudo sysctl -w user.max_user_namespaces=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
user.max_user_namespaces = 0When containers are deployed on the machine, the value should be set to large non-zero value. |
| Rationale | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. User namespaces are used primarily for Linux containers. The value 0 disallows the use of user namespaces. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
it is expected that user.max_user_namespaces will be enabled. |
Install policycoreutils Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_policycoreutils_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82976-2 References: CCI-001084, SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, RHEL-08-010171, SV-230241r627750_rule |
| Description | The $ sudo yum install policycoreutils |
| Rationale | Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
with enhanced security functionality designed to add mandatory access controls to Linux.
The Security-enhanced Linux kernel contains new architectural components originally
developed to improve security of the Flask operating system. These architectural components
provide general support for the enforcement of many kinds of mandatory access control
policies, including those based on the concepts of Type Enforcement, Role-based Access
Control, and Multi-level Security.
|
Configure SELinux Policy
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80868-3 References: BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000445-VMM-001780, RHEL-08-010450, 1.6.1.3, SV-230282r627750_rule |
| Description | The SELinux SELINUXTYPE=targetedOther policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| Rationale | Setting the SELinux policy to |
Ensure SELinux State is Enforcing
Uninstall Automatic Bug Reporting Tool (abrt)
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt_removed:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80948-3 References: CCI-000381, SRG-OS-000095-GPOS-00049, RHEL-08-040001, SV-230488r627750_rule |
| Description | The Automatic Bug Reporting Tool ( $ sudo yum erase abrt |
| Rationale | Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. |
package abrt is removed oval:ssg-test_package_abrt_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt_removed:obj:1 of type rpminfo_object
| Name |
|---|
| abrt |
Disable KDump Kernel Crash Analyzer (kdump)
| Rule ID | xccdf_org.ssgproject.content_rule_service_kdump_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80878-2 References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000366, CCI-001665, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, FMT_SMF_EXT.1.1, SRG-OS-000269-GPOS-00103, SRG-OS-000480-GPOS-00227, RHEL-08-010670, SV-230310r627750_rule |
| Description | The $ sudo systemctl mask --now kdump.service |
| Rationale | Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. |
Install fapolicyd Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_fapolicyd_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82191-8 References: CCI-001764, CCI-001774, CM-6(a), SI-4(22), SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230, RHEL-08-040135, SV-230523r744023_rule |
| Description | The $ sudo yum install fapolicyd |
| Rationale |
|
Enable the File Access Policy Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82249-4 References: CCI-001764, CCI-001774, CM-6(a), SI-4(22), FMT_SMF_EXT.1, SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230, RHEL-08-040136, SV-244545r743884_rule |
| Description | The File Access Policy service should be enabled.
The $ sudo systemctl enable fapolicyd.service |
| Rationale | The |
Uninstall vsftpd Package
package vsftpd is removed oval:ssg-test_package_vsftpd_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type rpminfo_object
| Name |
|---|
| vsftpd |
Remove the Kerberos Server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_krb5-server_removed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85887-8 References: CCI-000803, IA-7, IA-7.1, SRG-OS-000120-GPOS-00061, RHEL-08-010163, SV-237640r646890_rule |
| Description | The $ sudo yum erase krb5-serverThe krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 8 system. It is needed only by the Kerberos servers, not by the clients which use Kerberos for authentication. If the system is not intended for use as a Kerberos Server it should be removed. |
| Rationale | Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an KDC server, it is not necessary on typical desktop or workstation systems. |
Disable Kerberos by removing host keytab
| Rule ID | xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82175-1 References: CCI-000803, 0418, 1055, 1402, FTP_ITC_EXT.1, SRG-OS-000120-GPOS-00061, RHEL-08-010161, SV-230238r646862_rule |
| Description | Kerberos is not an approved key distribution method for
Common Criteria. To prevent using Kerberos by system daemons,
remove the Kerberos keytab files, especially
|
| Rationale | The key derivation function (KDF) in Kerberos is not FIPS compatible. |
Configure System to Forward All Mail From Postmaster to The Root Account
| Rule ID | xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-89063-2 References: CCI-000139, AU-5(a), AU-5.1(ii), SRG-OS-000046-GPOS-00022, RHEL-08-030030, SV-230389r627750_rule |
| Description | Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". $ sudo grep "postmaster:\s*root$" /etc/aliases postmaster: root |
| Rationale | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. |
Prevent Unrestricted Mail Relaying
| Rule ID | xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84054-6 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-040290, SV-230550r627750_rule |
| Description | Modify the /etc/postfix/main.cffile to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' |
| Rationale | If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. |
The Postfix package is installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_postfix_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85983-5 References: SRG-OS-000046-GPOS-00022, RHEL-08-030030, SV-230389r627750_rule |
| Description | A mail server is required for sending emails.
The $ sudo yum install postfix |
| Rationale | Emails can be used to notify designated personnel about important system events such as failures or warnings. |
Uninstall Sendmail Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_sendmail_removed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81039-0 References: BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049, RHEL-08-040002, SV-230489r627750_rule |
| Description | Sendmail is not the default mail transfer agent and is
not installed by default.
The $ sudo yum erase sendmail |
| Rationale | The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. |
Mount Remote Filesystems with nodev
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84052-0 References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-6(a), MP-2, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010640, SV-230307r627750_rule |
| Description | Add the |
| Rationale | Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. |
Mount Remote Filesystems with noexec
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84050-4 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(8), AC-6(10), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010630, SV-230306r627750_rule |
| Description | Add the |
| Rationale | The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. |
Mount Remote Filesystems with nosuid
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84053-8 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(1), CM6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010650, SV-230308r627750_rule |
| Description | Add the |
| Rationale | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. |
Disable chrony daemon from acting as server
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_client_only |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82988-7 References: CCI-000381, AU-8(1), AU-12(1), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049, RHEL-08-030741, SV-230485r627750_rule |
| Description | The |
| Rationale | Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface. |
Disable network management of chrony daemon
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82840-0 References: CCI-000381, CM-7(1), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049, RHEL-08-030742, SV-230486r627750_rule |
| Description | The |
| Rationale | Not exposing the management interface of the chrony daemon on the network diminishes the attack space. |
Configure Time Service Maxpoll Interval
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84059-5 References: 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001891, CCI-002046, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), AU-8(1)(b), AU-12(1), PR.PT-1, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146, RHEL-08-030740, SV-230484r627750_rule |
| Description | The maxpoll 16to serverdirectives. If using chrony any pooldirectives should be configured too. If no server or pool directives are configured, the rule evaluates
to pass. |
| Rationale | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). |
Ensure Chrony is only configured with the server directive
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_server_directive |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86077-5 References: CCI-001891, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146, RHEL-08-030740, SV-230484r627750_rule |
| Description | Check that Chrony only has time sources configured with the |
| Rationale | Depending on the infrastruture being used the |
| Warnings | warning
This rule doesn't come with a remediation, the time source needs to be added by the adminstrator. |
Uninstall rsh-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsh-server_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rsh-server_removed:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-82184-3 References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040010, SV-230492r627750_rule |
| Description | The $ sudo yum erase rsh-server |
| Rationale | The |
package rsh-server is removed oval:ssg-test_package_rsh-server_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rsh-server_removed:obj:1 of type rpminfo_object
| Name |
|---|
| rsh-server |
Remove Host-Based Authentication Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_host_based_files |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_host_based_files:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-84055-3 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010460, SV-230283r627750_rule |
| Description | The $ sudo rm /[path]/[to]/[file]/shosts.equiv |
| Rationale | The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. |
look for shosts.equiv in / oval:ssg-test_no_shosts_equiv:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_equiv_files_root:obj:1 of type file_object
| Behaviors | Path | Filename |
|---|---|---|
| no value | / | shosts.equiv |
Remove User Host-Based Authentication Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_user_host_based_files |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_user_host_based_files:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-84056-1 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010470, SV-230284r627750_rule |
| Description | The $ sudo find / -name '.shosts' -type f -delete |
| Rationale | The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. |
look for .shosts in / oval:ssg-test_no_shosts:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_files_root:obj:1 of type file_object
| Behaviors | Path | Filename |
|---|---|---|
| no value | / | .shosts |
Uninstall telnet-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_telnet-server_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_telnet-server_removed:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-82182-7 References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040000, 2.2.16, SV-230487r627750_rule |
| Description | The $ sudo yum erase telnet-server |
| Rationale | It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
|
package telnet-server is removed oval:ssg-test_package_telnet-server_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type rpminfo_object
| Name |
|---|
| telnet-server |
Uninstall tftp-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tftp-server_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tftp-server_removed:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-82436-7 References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040190, 2.2.9, SV-230533r627750_rule |
| Description | The $ sudo yum erase tftp-server |
| Rationale | Removing the |
package tftp-server is removed oval:ssg-test_package_tftp-server_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type rpminfo_object
| Name |
|---|
| tftp-server |
Ensure tftp Daemon Uses Secure Mode
| Rule ID | xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-82434-2 References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(b), AC-6, CM-7(a), PR.AC-3, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040350, SV-230557r627750_rule |
| Description | If running the server_args = -s /var/lib/tftpboot |
| Rationale | Using the |
Enable the Hardware RNG Entropy Gatherer Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rngd_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82831-9 References: CCI-000366, FCS_RBG_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010471, SV-230285r627750_rule |
| Description | The Hardware RNG Entropy Gatherer service should be enabled.
The $ sudo systemctl enable rngd.service |
| Rationale | The |
Set SSH Client Alive Count Max to zero
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0 |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83405-1 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000480-VMM-002000, RHEL-08-010200, 5.2.13, SV-230244r743934_rule |
| Description | The SSH server sends at most |
| Rationale | This ensures a user login will be terminated as soon as the |
Set SSH Idle Timeout Interval
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80906-1 References: BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, SRG-OS-000480-VMM-002000, RHEL-08-010201, 5.2.20, SV-244525r743824_rule |
| Description | SSH allows administrators to set an idle timeout interval. After this interval
has passed, the idle user will be automatically logged out.
ClientAliveInterval 600 The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. |
| Rationale | Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. |
| Warnings | warning
SSH disconnecting idle clients will not have desired effect without also
configuring ClientAliveCountMax in the SSH service configuration. warning
Following conditions may prevent the SSH session to time out:
|
Disable Compression Or Set Compression to delayed
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_compression |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80895-6 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, RHEL-08-010510, SV-230289r743954_rule |
| Description | Compression is useful for slow network connections over long
distances but can cause performance issues on local LANs. If use of compression
is required, it should be enabled only after a user has authenticated; otherwise,
it should be disabled. To disable compression or delay compression until after
a user has successfully authenticated, add or correct the following line in the
Compression no |
| Rationale | If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. |
Disable SSH Access via Empty Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80896-4 References: NT007(R17), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, RHEL-08-020330, 5.2.9, SV-230380r743993_rule |
| Description | Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords noAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. |
Disable GSSAPI Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80897-2 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0418, 1055, 1402, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-7(a), CM-7(b), CM-6(a), AC-17(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, RHEL-08-010522, SV-244528r743833_rule |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI.
GSSAPIAuthentication no |
| Rationale | GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. |
Disable Kerberos Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80898-0 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, RHEL-08-010521, SV-230291r743957_rule |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos.
KerberosAuthentication no |
| Rationale | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. |
Disable SSH Root Login
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80901-2 References: BP28(R19), NT007(R21), 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FAU_GEN.1, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, RHEL-08-010550, 5.2.7, SV-230296r627750_rule |
| Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
PermitRootLogin no |
| Rationale | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. |
| Warnings | warning
This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
RHV hosts require root access to be managed by RHV Manager. |
Disable SSH Support for User Known Hosts
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80902-0 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00227, RHEL-08-010520, SV-230290r627750_rule |
| Description | SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available. This should be disabled.
IgnoreUserKnownHosts yes |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. |
Disable X11 Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83360-8 References: CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040340, 5.2.12, SV-230555r627750_rule |
| Description | The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding no |
| Rationale | Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. |
Do Not Allow SSH Environment Options
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80903-8 References: 11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000, RHEL-08-010830, 5.2.10, SV-230330r646870_rule |
| Description | Ensure that users are not able to override environment variables of the SSH daemon.
PermitUserEnvironment no |
| Rationale | SSH environment options potentially allow users to bypass access restriction in some configurations. |
Enable Use of Strict Mode Checking
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80904-6 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6, AC-17(a), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, RHEL-08-010500, SV-230288r627750_rule |
| Description | SSHs StrictModes yes |
| Rationale | If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. |
Enable SSH Print Last Log
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_print_last_log |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82281-7 References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000366, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9, AC-17(a), CM-6(a), PR.AC-7, SRG-OS-000480-GPOS-00227, RHEL-08-020350, SV-230382r627750_rule |
| Description | Ensure that SSH will display the date and time of the last successful account logon.
PrintLastLog yes |
| Rationale | Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. |
Force frequent session key renegotiation
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_rekey_limit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82177-7 References: CCI-000068, FCS_SSH_EXT.1.8, SRG-OS-000480-GPOS-00227, SRG-OS-000033-GPOS-00014, RHEL-08-040161, SV-230527r627750_rule |
| Description | The RekeyLimit 1G 1h |
| Rationale | By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited. |
SSH server uses strong entropy to seed
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_strong_rng |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82462-3 References: CCI-000366, FCS_RBG_EXT.1.2, SRG-OS-000480-GPOS-00232, SRG-OS-000480-GPOS-00227, RHEL-08-010292, SV-230253r627750_rule |
| Description | To set up SSH server to use entropy from a high-quality source, edit the SSH_USE_STRONG_RNG=32 |
| Rationale | SSH implementation in Red Hat Enterprise Linux 8 uses the openssl library, which doesn't use high-entropy sources by default. Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors in encryption algorithms, and high-quality entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. |
| Warnings | warning
This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available. |
Prevent remote hosts from connecting to the proxy display
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84058-7 References: CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040341, SV-230556r627750_rule |
| Description | The SSH daemon should prevent remote hosts from connecting to the proxy
display.
|
| Rationale | When X11 forwarding is enabled, there may be additional exposure to the
server and client displays if the sshd proxy display is configured to listen
on the wildcard address. By default, sshd binds the forwarding server to the
loopback address and sets the hostname part of the |
Install the OpenSSH Server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_openssh-server_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83303-8 References: 13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.DS-2, PR.DS-5, FIA_UAU.5, FTP_ITC_EXT.1, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, RHEL-08-040159, SV-244549r743896_rule |
| Description | The $ sudo yum install openssh-server |
| Rationale | Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. |
Enable the OpenSSH Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_sshd_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82426-8 References: 13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.1.13, 3.5.4, 3.13.8, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), PR.DS-2, PR.DS-5, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, RHEL-08-040160, SV-230526r744032_rule |
| Description | The SSH server service, sshd, is commonly needed.
The $ sudo systemctl enable sshd.service |
| Rationale | Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
|
Certificate status checking in SSSD
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_certificate_verification |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86120-3 References: CCI-001948, CCI-001954, IA-2(11), SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162, RHEL-08-010400, SV-230274r809281_rule |
| Description | Multifactor solutions that require devices separate from information systems gaining access include,
for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
Configuring |
| Rationale | Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP) ensures the security of the system. |
Enable Certmap in SSSD
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_enable_certmap |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86060-1 References: CCI-000187, IA-5 (2) (c), SRG-OS-000068-GPOS-00036, RHEL-08-020090, SV-230355r818836_rule |
| Description | SSSD should be configured to verify the certificate of the user or group. To set this up
ensure that section like
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test
|
| Rationale | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. |
| Warnings | warning
Automatic remediation of this control is not available, since all of the settings in
in the certmap need to be customized. |
Enable Smartcards in SSSD
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_enable_smartcards |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80909-5 References: CCI-001954, CCI-000765, CCI-000766, CCI-000767, CCI-000768, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000107-VMM-000530, RHEL-08-020250, SV-230372r627750_rule |
| Description | SSSD should be configured to authenticate access to the system using smart cards.
To enable smart cards in SSSD, set [pam] pam_cert_auth = TrueAdd or update "pam_sss.so" line in auth section of "/etc/pam.d/system-auth" file to include "try_cert_auth" or "require_cert_auth" option, like in the following example: /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_authAlso add or update "pam_sss.so" line in auth section of "/etc/pam.d/smartcard-auth" file to include the "allow_missing_name" option, like in the following example: /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name |
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
|
Configure SSSD to Expire Offline Credentials
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82460-7 References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-002007, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), IA-5(13), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000383-GPOS-00166, SRG-OS-000383-VMM-001570, RHEL-08-020290, SV-230376r627750_rule |
| Description | SSSD should be configured to expire offline credentials after 1 day. Check if SSSD allows cached authentications with the following command: $ sudo grep cache_credentials /etc/sssd/sssd.conf cache_credentials = trueIf "cache_credentials" is set to "false" or is missing no further checks are required. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam] offline_credentials_expiration = 1 |
| Rationale | If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
Install usbguard Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_usbguard_installed |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_usbguard_installed:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82959-8 References: CCI-001958, 1418, CM-8(3), IA-3, SRG-OS-000378-GPOS-00163, RHEL-08-040139, SV-244547r743890_rule |
| Description |
The $ sudo yum install usbguard |
| Rationale |
|
package usbguard is installed oval:ssg-test_package_usbguard_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_usbguard_installed:obj:1 of type rpminfo_object
| Name |
|---|
| usbguard |
Enable the USBGuard Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_usbguard_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82853-3 References: CCI-000416, CCI-001958, 1418, CM-8(3)(a), IA-3, FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, RHEL-08-040141, SV-244548r743893_rule |
| Description | The USBGuard service should be enabled.
The $ sudo systemctl enable usbguard.service |
| Rationale | The |
Log USBGuard daemon audit events using Linux Audit
| Rule ID | xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82168-6 References: CCI-000169, CCI-000172, AU-2, CM-8(3), IA-3, FMT_SMF_EXT.1, SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215, RHEL-08-030603, SV-230470r744006_rule |
| Description | To configure USBGuard daemon to log via Linux Audit
(as opposed directly to a file),
|
| Rationale | Using the Linux Audit logging allows for centralized trace of events. |
Generate USBGuard Policy
| Rule ID | xccdf_org.ssgproject.content_rule_usbguard_generate_policy |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83774-0 References: CCI-000416, CCI-001958, CM-8(3)(a), IA-3, FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, RHEL-08-040140, SV-230524r744026_rule |
| Description | By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, the initial policy configuration must be generated based on current connected USB devices. |
| Rationale | The |
Disable graphical user interface
| Rule ID | xccdf_org.ssgproject.content_rule_xwindows_remove_packages |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-xwindows_remove_packages:def:1 |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83411-9 References: CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040320, SV-230553r809324_rule |
| Description | By removing the following packages, the system no longer has X Windows installed.
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland |
| Rationale | Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. |
| Warnings | warning
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
which might bring your system to an inconsistent state requiring additional configuration to access the system
again.
The rule xwindows_runlevel_target can be used to configure the system to boot into the multi-user.target.
If a GUI is an operational requirement, a tailored profile that removes this rule should be used before
continuing installation.warning
This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
X11 graphic libraries are dependency of OpenStack Cinderlib storage provider. |
package xorg-x11-server-Xorg is removed oval:ssg-package_xorg-x11-server-Xorg_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-Xorg_removed:obj:1 of type rpminfo_object
| Name |
|---|
| xorg-x11-server-Xorg |
package xorg-x11-server-common is removed oval:ssg-test_package_xorg-x11-server-common_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object
| Name |
|---|
| xorg-x11-server-common |
package xorg-x11-server-utils is removed oval:ssg-package_xorg-x11-server-utils_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-utils_removed:obj:1 of type rpminfo_object
| Name |
|---|
| xorg-x11-server-utils |
package xorg-x11-server-Xwayland is removed oval:ssg-package_xorg-x11-server-Xwayland_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-Xwayland_removed:obj:1 of type rpminfo_object
| Name |
|---|
| xorg-x11-server-Xwayland |
Disable X Windows Startup By Setting Default Target
| Rule ID | xccdf_org.ssgproject.content_rule_xwindows_runlevel_target |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-10T23:34:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83380-6 References: 12, 15, 8, APO13.01, DSS01.04, DSS05.02, DSS05.03, CCI-000366, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040321, 2.2.2, SV-251718r809378_rule |
| Description | Systems that do not require a graphical user interface should only boot by
default into $ systemctl set-default multi-user.targetYou should see the following output: Removed symlink /etc/systemd/system/default.target. Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target. |
| Rationale | Services that are not required for system and application processes must not be active to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be used unless approved and documented. |